Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0368: Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks

DET0368 is a detection strategy for identifying possible hardware supply chain compromise through host status and boot integrity checks. The business value...

EnterpriseDET0368Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0368 is a detection strategy for identifying possible hardware supply chain compromise through host status and boot integrity checks. The business value is early confidence that servers, workstations, or other enterprise endpoints have not been altered before deployment or during trusted boot paths. Because the related ATT&CK technique is initial access via compromised hardware supply chain, this matters most where device trust underpins business continuity, incident containment, audit evidence, and high-assurance environments.

Executive priority

Leaders should treat this as a trust-and-assurance control, not just a SOC alert type. The key question is whether the organization can prove that critical Linux, macOS, and Windows hosts boot from expected firmware, bootloaders, and host integrity states before they are trusted on the network. Priority should go to business-critical systems, privileged administration workstations, network-facing infrastructure, and environments where procurement or device staging risk has material operational or compliance consequences.

Technical view

ATT&CK provides no official description or detection logic for DET0368, but the detection strategy name and relationship to T1195.003 indicate validation around host status and boot integrity. SOC, detection engineering, and IR teams should confirm whether endpoint and asset workflows can compare expected boot integrity state against observed host state, especially during device onboarding, reimaging, baseline drift review, and incident triage. Because the related technique covers hardware or firmware manipulation before receipt by the consumer, detection should not rely only on post-compromise endpoint behavior; it should include integrity evidence from trusted provisioning and boot validation processes.

Likely telemetry

  • Host status and health/state records from managed endpoints
  • Boot integrity or secure/trusted boot state evidence where available
  • Firmware, bootloader, and platform integrity assessment outputs
  • Asset inventory and device onboarding/provisioning records
  • Endpoint management or configuration compliance results

Detection direction

  • Validate that host integrity checks are collected before high-trust access is granted, not only after an alert is raised.
  • Tune for drift from known-good boot or platform integrity baselines, with exception handling for legitimate firmware, OS, or hardware maintenance changes.
  • Correlate suspicious host integrity findings with asset procurement, staging, imaging, and ownership records to distinguish supply chain concern from routine configuration change.
  • Avoid assuming normal endpoint telemetry is sufficient; hardware or firmware compromise may be difficult to detect from operating-system-level signals alone.
  • Prioritize coverage validation for critical assets and privileged user systems because the related technique is an initial access path.

Mitigation priorities

  • Establish trusted device intake, asset inventory, and provisioning records for systems before production use.
  • Define known-good host and boot integrity baselines for critical Linux, macOS, and Windows assets where supported by local tooling.
  • Require review and documentation for firmware, boot configuration, or hardware changes on high-value systems.
  • Integrate integrity evidence into incident response playbooks so suspect devices can be isolated, validated, or removed from trust decisions.
  • Use detection gaps identified by this strategy to inform procurement assurance, endpoint management, and compliance evidence priorities.
Analyst notes and limits

This take is based on the detection strategy name, external reference DET0368, and its ATT&CK relationship to T1195.003 Compromise Hardware Supply Chain. The most important local validation question is whether the organization has trustworthy pre-production and boot integrity evidence for assets that matter most to operations.

The supplied ATT&CK object does not include an official description, official detection text, tactics, or platforms for DET0368 itself. Platform context comes only from the related technique T1195.003. Local architecture, endpoint tooling, procurement practices, and boot integrity capabilities are required to determine actual coverage.

Official MITRE ATT&CK definition

Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1195.003 Compromise Hardware Supply Chain Sub-technique This object detects Compromise Hardware Supply Chain.
Relationship explorer

All related ATT&CK context

detects · Technique T1195.003: Compromise Hardware Supply Chain Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e07553f775036d9c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e07553f77503…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0368
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use