DET0780 Detection of Rootkit

Technique Detected: T0851 (Rootkit)

Analytics

ICS

AN1912

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.

Log Sources

Mutable Elements