| Item |
Value |
| ID |
DET0167 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1495 (Firmware Corruption)
Analytics
Windows
AN0474
Firmware flash utility invoked with elevated privileges followed by raw access to firmware device path or changes to boot configuration.
Log Sources
Mutable Elements
| Field |
Description |
| ParentImage |
Common legitimate flash tool chains can be allowlisted |
| CommandLine |
Flags indicating silent or forced flash may vary |
Linux
AN0475
Direct write access to /dev/mem or /sys/firmware combined with usage of firmware flashing utilities (e.g., flashrom).
Log Sources
Mutable Elements
| Field |
Description |
| ToolName |
Custom or renamed firmware tools may require pattern matching |
macOS
AN0476
EFI updates executed via system processes or binaries outside of expected patch windows or using unsigned firmware packages.
Log Sources
Mutable Elements
| Field |
Description |
| UpdateTimeWindow |
Firmware updates usually occur after OS update; out-of-band patterns may indicate compromise |
Network Devices
AN0477
Firmware image uploaded via TFTP/SCP or web interface followed by reboot or unexpected loss of connectivity.
Log Sources
Mutable Elements
| Field |
Description |
| UploadSizeThreshold |
Size of firmware images varies by vendor |
| RebootWindow |
Reboots outside of patch maintenance may be suspicious |