Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1693: Modify Firmware

Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as Persistence, Impair Process Control, and Inhibit Response Function.

Adversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via Replication Through Removable Media, Supply Chain Compromise, or Remote Services. Once installed, the malicious or vulnerable firmware could be used to provide Rootkit and Hooking functionality, Exploitation for Privilege Escalation, or Denial of Service.[1]

ICST1693TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Modify Firmware is material because firmware sits below normal operating software on ICS devices. If firmware on controllers or modules is replaced with malicious or vulnerable versions, defenders may be dealing with persistence, impaired process control, inhibited response functions, privilege escalation, rootkit or hooking behavior, or denial of service. For leaders, the key issue is whether critical control assets have trusted firmware provenance, controlled update paths, and evidence that firmware has not changed outside authorized maintenance.

Executive priority

Prioritize this where PLCs, safety controllers, DCS controllers, and PACs support safety-critical or continuity-critical operations. The business decision is not only “can we patch firmware,” but “can we prove firmware integrity, restrict who can update it, and detect unauthorized change.” This affects operational resilience, incident response confidence, maintenance governance, supplier assurance, and audit evidence for high-risk ICS environments.

Technical view

ATT&CK does not provide official detection text for T1693, but it does identify a related detection strategy, DET0904 Detection of Firmware Modification. SOC, engineering, and IR teams should validate whether they maintain known-good firmware baselines for targeted embedded ICS assets, can observe local or remote firmware update activity, and can compare device firmware, software, programs, and configurations against trusted states. Pay particular attention to firmware delivered through removable media, supply chain paths, or remote services, and distinguish authorized vendor maintenance from unexpected update behavior.

Likely telemetry

  • Firmware version and inventory records for PLCs, safety controllers, DCS controllers, PACs, and relevant modules
  • Cryptographic hash or digital signature results from firmware, software, program, and configuration integrity checks
  • Device reboot, program download, program restart, and firmware update event records where available
  • Authentication and authorization records for users, devices, gateways, and software processes that can access update functions
  • Network connection and filtering logs for remote services and automation protocol traffic reaching control devices

Detection direction

  • Validate the DET0904 detection strategy against local device types and engineering workflows; the supplied ATT&CK object does not include detection logic.
  • Baseline known-valid firmware and module firmware states, then alert or investigate when changes occur outside approved maintenance, reboot, download, or restart events.
  • Tune for legitimate firmware maintenance and vendor updates to reduce false positives; unauthorized timing, source, user, device, or package provenance should drive escalation.
  • Check blind spots around modular hardware, older devices requiring special reprogramming equipment, and devices with limited native authentication or integrity checking.
  • Correlate firmware changes with remote services access, removable media activity, supply chain update handling, and subsequent rootkit, hooking, privilege escalation, or denial-of-service symptoms when observable.

Mitigation priorities

  • Start with governance and audit: maintain firmware inventories, trusted baselines, and periodic integrity checks, especially after reboots, program downloads, and program restarts.
  • Enforce code signing and boot integrity where supported so untrusted firmware or loading mechanisms are not accepted.
  • Restrict update capability with access management, human user authentication, and software process or device authentication, especially where field devices lack strong native controls.
  • Reduce reachable update paths with network segmentation, network allowlists, and protocol-aware traffic filtering for control networks.
  • Use communication authenticity and encryption for network communications where applicable, and protect sensitive information at rest when it supports firmware or update trust.
Analyst notes and limits

This technique is an ICS ATT&CK technique with sub-techniques for System Firmware and Module Firmware. It targets embedded ICS assets including PLCs, safety controllers, DCS controllers, and PACs. The supplied relationships provide strong mitigation context but limited detection detail, so local engineering data, vendor documentation, and approved maintenance processes are required to operationalize coverage.

Official ATT&CK detection text, tactics, and platforms are not specified for this object. The relationship to DET0904 names a detection strategy but does not provide its analytic content here. This take does not assert active exploitation, attribution, or guaranteed detectability.

Official MITRE ATT&CK definition

Modify Firmware

Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as Persistence, Impair Process Control, and Inhibit Response Function.

Adversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via Replication Through Removable Media, Supply Chain Compromise, or Remote Services. Once installed, the malicious or vulnerable firmware could be used to provide Rootkit and Hooking functionality, Exploitation for Privilege Escalation, or Denial of Service.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
ICS T1693.001 System Firmware Sub-technique System Firmware subtechnique of this object.
ICS T1693.002 Module Firmware Sub-technique Module Firmware subtechnique of this object.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0802: Communication Authenticity ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS subtechnique of · Technique T1693.001: System Firmware ICS mitigates · Mitigation M0930: Network Segmentation ICS mitigates · Mitigation M0945: Code Signing ICS detects · Detection Strategy DET0904: Detection of Firmware Modification ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS mitigates · Mitigation M0807: Network Allowlists ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS mitigates · Mitigation M0808: Encrypt Network Traffic ICS mitigates · Mitigation M0947: Audit ICS mitigates · Mitigation M0804: Human User Authentication ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0946: Boot Integrity ICS mitigates · Mitigation M0941: Encrypt Sensitive Information ICS mitigates · Mitigation M0801: Access Management ICS subtechnique of · Technique T1693.002: Module Firmware ICS mitigates · Mitigation M0937: Filter Network Traffic ICS
Mitigations

Mitigation direction

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0945: Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a919c4648fce157e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a919c4648fce…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Basnight, Zachry, et al.

    Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17

    Open source URL
  2. [2]
    mitre-attack T1693
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use