Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0167: Firmware Modification via Flash Tool or Corrupted Firmware Upload

This detection strategy is tied to Firmware Corruption (T1495), an impact behavior where firmware or flash memory may be overwritten or corrupted, potentia...

EnterpriseDET0167Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to Firmware Corruption (T1495), an impact behavior where firmware or flash memory may be overwritten or corrupted, potentially making systems or attached devices unable to boot or function. For leaders, the practical issue is resilience: firmware-level disruption can bypass normal operating-system recovery assumptions and may require hardware-specific recovery, replacement, or vendor support rather than routine endpoint remediation.

Executive priority

Treat this as a business-continuity and incident-response readiness concern, especially for environments where Linux, macOS, Windows systems, or network devices are operationally critical. Executives should ask whether the organization has evidence of authorized firmware update activity, recovery procedures for corrupted firmware, and clear ownership between SOC, infrastructure, endpoint, network, and hardware support teams. Because the ATT&CK detection strategy itself has no official detection text or specified platforms, priority should be driven by local critical assets and the related T1495 impact risk rather than assumed universal coverage.

Technical view

SOC and IR teams should validate whether they can distinguish expected firmware maintenance from suspicious firmware modification or failed/corrupted firmware upload activity. The relationship context indicates this strategy detects T1495 Firmware Corruption, whose related platforms include Linux, macOS, Windows, and Network Devices. Since no official detection logic is supplied for DET0167, teams should build local hypotheses around firmware or flash tooling execution, firmware update events, device management logs, integrity or boot failures, and change records. Detection engineering should focus on high-value assets and network devices where firmware corruption would create meaningful availability impact.

Likely telemetry

  • Endpoint process execution and command-line telemetry for firmware or flash utilities where available
  • Operating system event logs related to driver, firmware, boot, device, or hardware errors
  • Network device administrative logs for firmware upload, image install, reboot, or boot failure events
  • Asset and configuration management records showing expected firmware versions and approved maintenance windows
  • Firmware update management, endpoint management, or device management logs

Detection direction

  • Validate that firmware update and flash modification activity is logged on the asset classes that matter most to operations.
  • Correlate firmware or image update events with approved change windows, administrator identity, source host, and affected asset criticality.
  • Tune detections to reduce false positives from legitimate vendor updates, scheduled maintenance, hardware lifecycle work, and emergency patching.
  • Look for relationship-driven impact context: unexpected reboot loops, inability to boot, missing devices, or device inoperability following firmware-related activity may raise priority.
  • Identify blind spots where network devices, out-of-band management interfaces, or endpoint firmware update tools do not forward logs to the SOC.

Mitigation priorities

  • Prioritize firmware and network-device change control for critical systems, including approval, maintenance windows, and rollback planning.
  • Maintain current inventories of firmware versions, device models, ownership, and business criticality so responders can scope potential corruption quickly.
  • Restrict firmware update privileges to authorized administrators and managed processes where supported by the environment.
  • Preserve known-good firmware images, vendor recovery procedures, and hardware support paths for critical devices.
  • Include firmware corruption scenarios in incident response and business continuity exercises, especially where device unavailability would affect core operations.
Analyst notes and limits

The ATT&CK object is a detection strategy named “Firmware Modification via Flash Tool or Corrupted Firmware Upload” with external ID DET0167. It has no official description, no official detection text, no specified platforms, and no specified tactics. The main usable context is its relationship to T1495 Firmware Corruption, an impact technique involving corruption of BIOS or other firmware in flash/non-volatile memory that can render devices or systems inoperable.

This take is constrained by sparse official fields. It does not assert active exploitation, actor attribution, specific tools, guaranteed telemetry, or detection coverage. Platform references come from the related T1495 technique, not from the DET0167 detection-strategy object itself. Local asset architecture, device logging capability, firmware management process, and change-control evidence are required to turn this into validated detection coverage.

Official MITRE ATT&CK definition

Firmware Modification via Flash Tool or Corrupted Firmware Upload

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1495 Firmware Corruption This object detects Firmware Corruption.
Relationship explorer

All related ATT&CK context

detects · Technique T1495: Firmware Corruption Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
84c35fb4945fd867...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 84c35fb4945f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0167
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use