DET0170: Detection Strategy for Modify System Image on Network Devices
DET0170 matters because it is aimed at detecting changes to the system image on network devices, a behavior associated with ATT&CK technique T1601 Modify S...
Analyst context for executives and security teams
DET0170 matters because it is aimed at detecting changes to the system image on network devices, a behavior associated with ATT&CK technique T1601 Modify System Image. For leaders, the practical issue is not just a device software change; it is whether an adversary could weaken defenses or add capabilities on infrastructure that supports connectivity, segmentation, monitoring, and operational continuity.
Executive priority
Treat this as a resilience and control-assurance question for network infrastructure. Executives should ask whether the organization can prove which network device images are approved, detect unauthorized image changes, and support incident response if a router, switch, firewall, or similar device is suspected of running altered software. This is also relevant to audit evidence, change control, and cyber-physical exposure where network devices support operational environments.
Technical view
The supplied ATT&CK object is a detection strategy that detects T1601 Modify System Image, under defense-impairment, for Network Devices. SOC, detection engineering, and IR teams should validate whether they can observe image replacement, modification, or suspicious runtime changes on embedded network device operating systems. Because the official detection text is not provided, teams should base implementation on local device capabilities, management-plane logging, image inventory, change records, and comparison against approved baselines.
Likely telemetry
- Network device software/firmware image inventory, including version, filename, and approved baseline where available
- Cryptographic hash or integrity evidence for device system images, if supported by the device or management tooling
- Device management-plane logs showing software install, upgrade, boot image, file copy, or configuration commands
- AAA/accounting records for administrative sessions to network devices
- Change management records for approved maintenance windows and authorized image updates
Detection direction
- Compare observed device image state against an approved inventory or golden baseline rather than relying only on configuration monitoring.
- Correlate image-change events with authorized change tickets, maintenance windows, and administrator identities to reduce false positives from legitimate upgrades.
- Prioritize devices that enforce segmentation, remote access, perimeter control, monitoring paths, or operational network connectivity because defense-impairment on those devices can have outsized impact.
- Validate whether logging survives device reloads or image changes; network devices may have limited local retention, so external collection is important.
- Account for blind spots where devices do not expose image hash, detailed file operations, or runtime memory modification evidence.
Mitigation priorities
- Establish and maintain an approved image baseline for network devices, including version and integrity evidence where available.
- Restrict and monitor administrative access to network device management interfaces and software image functions.
- Require formal change control for image upgrades or replacements, with evidence retained for SOC and audit review.
- Ensure centralized collection of network device logs and administrative accounting so image-related activity is not lost during reloads or incident response.
- Maintain recoverable known-good images and configuration backups to support containment and restoration if tampering is suspected.
Analyst notes and limits
The strongest decision value is to validate whether network infrastructure image integrity is observable and governed. This object has no official description or detection text, so the relationship to T1601 provides the main technical anchor. Glexia would treat this as a gap-assessment item across managed detection, IR readiness, network security operations, and compliance evidence for infrastructure change control.
The supplied detection strategy does not specify platforms, tactics, an official description, or official detection logic. Platform and tactic context comes from the related ATT&CK technique: Network Devices and defense-impairment. Local device models, logging capabilities, image-management tooling, and change-control maturity are required to turn this into concrete detections.
Detection Strategy for Modify System Image on Network Devices
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1601 | Modify System Image | This object detects Modify System Image. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 367f4e63f8a1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0170Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.