AN0474: Analytic 0474
Firmware flash utility invoked with elevated privileges followed by raw access to firmware device path or changes to boot configuration.
Analyst context for executives and security teams
This analytic matters because legitimate firmware flashing and boot-configuration changes are high-trust activities that can affect whether Windows systems start safely and remain under defensive control. For leaders, the key question is not whether every firmware utility is malicious, but whether the organization can distinguish approved maintenance from unexpected elevated firmware or boot-path activity.
Executive priority
Treat this as a resilience and control-governance signal. Firmware and boot configuration changes should be rare, authorized, and auditable. Executives should ask whether endpoint teams have a documented approval path for firmware updates, whether SOC/IR teams can see privileged use of firmware utilities on Windows, and whether exceptions are tied to asset ownership and maintenance windows.
Technical view
Validate visibility for Windows events where a firmware flash utility runs with elevated privileges and is followed by raw access to a firmware device path or boot configuration changes. Because the supplied ATT&CK object provides no tactic mapping, detection logic, or relationships, teams should use this as a validation pattern rather than a complete rule. Focus on correlation: elevated process execution, firmware-related utility execution, raw device or firmware-path access where available, and boot configuration modification activity.
Likely telemetry
- Windows process creation telemetry including image path, command line, parent process, user, and integrity/elevation context
- Endpoint/EDR telemetry showing privileged execution and device or raw disk access where available
- Boot configuration change evidence, such as Windows boot configuration modification events or command execution related to boot settings
- File, driver, or device-access telemetry associated with firmware update tooling where collected
- Change-management records for authorized firmware or boot maintenance windows
Detection direction
- Confirm the SOC can identify elevated execution of firmware flash utilities on Windows endpoints.
- Correlate utility execution with subsequent raw firmware device-path access or boot configuration changes rather than alerting only on tool names.
- Tune for legitimate OEM, IT maintenance, and patch-management activity using approved windows, asset groups, signer metadata, and change tickets.
- Investigate activity outside maintenance windows, from unusual parent processes, by unexpected users, or on systems not scheduled for firmware work.
- Document blind spots where endpoint tooling does not expose raw device access or boot configuration changes.
Mitigation priorities
- Limit local administrative privileges and require explicit approval for firmware and boot-configuration maintenance.
- Maintain an inventory of authorized firmware update utilities and expected update workflows for Windows assets.
- Use change control to tie firmware or boot changes to asset owners, maintenance windows, and business justification.
- Preserve endpoint telemetry needed for incident response around privileged process execution and boot configuration changes.
- Review secure boot and platform firmware governance practices where applicable to the Windows estate.
Analyst notes and limits
AN0474 is a detection analytic, not a technique. The available fields describe a Windows-focused behavioral pattern involving elevated firmware flashing followed by firmware-path access or boot configuration changes. The strongest defensive value is validating whether privileged firmware and boot-change activity is visible, authorized, and explainable.
The supplied ATT&CK object has no official detection text, no tactic mapping, and no relationship context. This take does not infer adversary use, attribution, impact, or guaranteed detection coverage. Local telemetry, asset inventory, and change-management data are required to operationalize the analytic.
Analytic 0474
Firmware flash utility invoked with elevated privileges followed by raw access to firmware device path or changes to boot configuration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 61f868f0a544… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0474Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.