DET0802 Detection of Activate Firmware Update Mode

Item	Value
ID	DET0802
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T0800 (Activate Firmware Update Mode)

Analytics

ICS

AN1934

Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode. Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms. Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	Network Traffic	None
Device Alarm (DC0108)	Operational Databases	None
Application Log Content (DC0038)	Application Log	None

Mutable Elements

Field	Description