Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1293: Analytic 1293

Defenders may observe adversary attempts to patch system images by monitoring for anomalous file transfers (TFTP, SCP, FTP) of image files, unauthorized CLI commands altering boot system variables, integrity check mismatches between running and baseline OS images, and runtime memory manipulation attempts. Suspicious sequences include uploading a new image, modifying boot parameters, and subsequent reload/reboot of the device. In-memory patching attempts may manifest as debug commands or boot loader manipulation inconsistent with normal administrative activity.

EnterpriseAN1293AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1293 is a detection analytic for protecting network device system images. Its practical value is integrity assurance: if a router, switch, or similar device boots from an unauthorized or altered image, business connectivity and operational resilience can be affected before endpoint or server tools see anything. Leaders should treat this as a control validation question: can the organization prove which image a network device should run, detect suspicious image transfers or boot-variable changes, and correlate those changes with reload events?

Executive priority

Prioritize this where network devices support critical business services, remote access, branch connectivity, data center paths, or cyber-physical operations. The key decision is whether network infrastructure changes are observable, authorized, and auditable. This analytic supports incident decision-making and compliance evidence by focusing on unauthorized image movement, boot configuration changes, integrity mismatches, and reload sequences that may indicate device tampering.

Technical view

For Network Devices, validate visibility into anomalous TFTP, SCP, or FTP transfers of image files; CLI commands that alter boot system variables; mismatches between running and baseline OS images; reload or reboot events following image upload activity; and debug, boot loader, or runtime memory manipulation activity inconsistent with normal administration. Because no ATT&CK tactic or relationship context is supplied, implement this as an infrastructure integrity analytic rather than assuming a specific campaign, objective, or intrusion stage.

Likely telemetry

  • Network device syslog and event logs
  • AAA/TACACS+/RADIUS command accounting for CLI activity
  • File transfer logs or network metadata for TFTP, SCP, and FTP involving device image files
  • Device configuration snapshots, especially boot system variables
  • Running image inventory, image filenames, versions, and cryptographic hash or integrity-check results

Detection direction

  • Correlate image file transfer events with subsequent boot variable changes and reload/reboot activity on the same network device.
  • Alert on boot system variable changes made outside approved maintenance patterns or by unexpected administrative identities.
  • Compare running images against a known-good baseline and investigate integrity check mismatches.
  • Tune for legitimate upgrade windows, standard automation accounts, and approved network operations workflows to reduce false positives.
  • Look for rare or high-risk commands related to debug activity, boot loader manipulation, or runtime memory behavior when such logging is available.

Mitigation priorities

  • Maintain an authoritative baseline of approved network device images, boot variables, and expected versions.
  • Require authenticated, attributable administrative access and command accounting for network device changes.
  • Restrict and monitor image transfer mechanisms such as TFTP, SCP, and FTP according to operational need.
  • Use formal change control for image uploads, boot configuration changes, and reloads so detections can separate authorized maintenance from suspicious activity.
  • Periodically validate device image integrity and reconcile results against inventory.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK content identifies Network Devices as the platform and describes observable behaviors around image transfer, boot configuration, integrity checks, runtime memory manipulation, and reboot sequencing. No tactic, associated technique relationship, adversary relationship, or vendor-specific implementation detail was supplied.

Official detection text is not provided, and no relationship context is supplied. Local device types, logging capabilities, administrative workflows, approved image baselines, and change records are required to make this analytic reliable. Do not infer active exploitation, attribution, or existing coverage from this object alone.

Official MITRE ATT&CK definition

Analytic 1293

Defenders may observe adversary attempts to patch system images by monitoring for anomalous file transfers (TFTP, SCP, FTP) of image files, unauthorized CLI commands altering boot system variables, integrity check mismatches between running and baseline OS images, and runtime memory manipulation attempts. Suspicious sequences include uploading a new image, modifying boot parameters, and subsequent reload/reboot of the device. In-memory patching attempts may manifest as debug commands or boot loader manipulation inconsistent with normal administrative activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a0f6ebc5d1b83dfe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a0f6ebc5d1b8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1293
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use