Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0802: Detection of Activate Firmware Update Mode

DET0802 is about detecting when an ICS device is placed into firmware update mode. The business issue is not the update process itself; it is that some dev...

ICSDET0802Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0802 is about detecting when an ICS device is placed into firmware update mode. The business issue is not the update process itself; it is that some devices may suspend normal monitoring or response functions while waiting for firmware. In safety- or process-critical environments, a device left in that state can weaken emergency response, protection, or operational continuity even if no firmware is actually installed.

Executive priority

Treat this as an operational resilience and cyber-physical risk question: do teams know which critical devices can enter firmware update mode, who is authorized to do it, and how quickly the SOC or control-room staff would notice? This should inform maintenance governance, incident response playbooks, evidence for change-control compliance, and prioritization of monitoring around devices whose inactive or update state could affect safety or process availability.

Technical view

This detection strategy maps to ICS technique T0800, Activate Firmware Update Mode. Because the ATT&CK object does not provide platform, tactic, description, or detection logic, defenders should validate coverage from local engineering knowledge: identify devices with a firmware installation or update mode, determine what normal activation looks like during approved maintenance, and confirm whether mode changes are visible in device logs, engineering workstation activity, network management traffic, controller/protection relay status, historian data, or operator alarms. SOC and IR teams should distinguish authorized maintenance windows from unexpected or prolonged update-mode states.

Likely telemetry

  • Device status or mode-change logs from ICS assets that support firmware update mode
  • Engineering workstation or maintenance system activity related to device configuration or firmware operations
  • Network communications associated with device management or firmware update workflows, where available
  • Control-room alarms, HMI indicators, historian tags, or asset health/status records showing inactive, maintenance, or update states
  • Change-management records and maintenance tickets needed to validate authorized firmware activity

Detection direction

  • Inventory devices that can enter firmware update mode and map which telemetry source records that state.
  • Alert on unexpected activation, activation outside approved maintenance windows, or devices remaining in update mode longer than expected.
  • Correlate device mode changes with approved change records, operator actions, and engineering workstation activity to reduce false positives from legitimate maintenance.
  • Prioritize monitoring for devices whose update mode can halt process monitoring or response functions, such as protection-related equipment referenced in the related technique description.
  • Document blind spots where device mode is only visible locally, not forwarded to SOC tooling, historian systems, or centralized logs.

Mitigation priorities

  • Establish strict change-control and authorization for firmware update mode on critical ICS devices.
  • Require maintenance procedures to verify devices exit update mode and return to expected monitoring or response functions.
  • Limit who can initiate firmware-related operations and review access paths used by engineering or maintenance systems.
  • Ensure control-room and SOC procedures include escalation for unexpected or prolonged firmware update mode states.
  • Use periodic tabletop or validation exercises to confirm that detection, notification, and recovery steps work before an operational emergency.
Analyst notes and limits

The source object is a detection strategy for ICS ATT&CK and has a direct detects relationship to T0800, Activate Firmware Update Mode. The practical focus should be on state visibility, maintenance governance, and cyber-physical consequence analysis rather than assuming a specific platform or adversary procedure.

The official detection strategy contains no description, detection text, platforms, tactics, aliases, or labels. The related technique description is also truncated in the supplied data. Local device types, vendor behavior, available logs, maintenance workflows, and operational safety requirements are required to turn this into implementable detection logic.

Official MITRE ATT&CK definition

Detection of Activate Firmware Update Mode

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0800 Activate Firmware Update Mode This object detects Activate Firmware Update Mode.
Relationship explorer

All related ATT&CK context

detects · Technique T0800: Activate Firmware Update Mode ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8e9954cbb170236c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8e9954cbb170…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0802
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use