Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1693.001: System Firmware

System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.

An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.[1]

ICST1693.001Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

System Firmware modification matters because firmware sits below normal operating-system and application controls on ICS assets. If an accessible device accepts malicious or out-of-date firmware, an adversary may gain very low-level control of equipment that supports monitoring, control, networking, remote access, or safety functions. For leaders, the key issue is not just patching—it is whether the organization can prove who is allowed to update firmware, how firmware integrity is verified, and whether abnormal firmware changes would be noticed before they affect operations.

Executive priority

Prioritize this where firmware-capable assets support critical operations, including HMIs, PLCs, RTUs, IEDs, data gateways, safety controllers, VPN servers, and switches. The business decision is whether firmware update paths are governed as high-risk operational changes: authenticated, segmented, logged, integrity-checked, and scheduled around downtime. This supports operational resilience, incident response readiness, audit evidence, and cyber-physical risk reduction because compromised firmware can undermine trust in the device itself.

Technical view

ATT&CK provides no official detection text, tactics, or platform list for this sub-technique, but it is related to DET0731, Detection of System Firmware, and is a sub-technique of Modify Firmware. SOC, OT security, and IR teams should validate visibility around firmware update mechanisms on the targeted ICS asset classes. Focus on whether firmware versions, update events, device reboots, program downloads, restarts, authentication events, and network sessions to firmware/update interfaces can be correlated with approved maintenance activity. Treat unexpected firmware version changes, unsigned or unverifiable firmware, update attempts from unauthorized network locations, or firmware changes outside approved windows as high-value investigation leads.

Likely telemetry

  • Firmware inventory and version records for ICS assets
  • Firmware update logs or maintenance records where available
  • Device access and user authentication logs
  • Gateway, inline access management, or remote access authentication logs
  • Network flow and protocol-filtering logs involving firmware update services or device management interfaces

Detection direction

  • Confirm which targeted asset classes have firmware update features and whether those updates can occur over the network.
  • Baseline approved firmware versions and compare device state after reboots, downloads, restarts, or maintenance events.
  • Correlate firmware changes with authenticated users, authorized source systems, approved maintenance windows, and change records.
  • Tune detections to reduce false positives from legitimate vendor patching or scheduled upgrades while preserving alerts for unexpected version rollback, unverifiable firmware, or unauthorized update paths.
  • Validate visibility at choke points such as gateways, VPN servers, switches, and segmented network boundaries because endpoint logging on embedded ICS devices may be limited.

Mitigation priorities

  • Start with audit and inventory: identify devices with firmware update capability and maintain known-valid firmware versions, hashes, or signatures where possible.
  • Restrict access to firmware update paths using access management, human user authentication, device/software process authentication, network segmentation, network allowlists, and protocol-aware traffic filtering.
  • Protect update communications using communication authenticity and encrypted network traffic where supported, especially across untrusted networks.
  • Require code signing and boot integrity controls where available so devices reject untrusted firmware and verify loading mechanisms.
  • Protect sensitive firmware-related data at rest where applicable.
Analyst notes and limits

This object is ICS-focused and targets multiple operational asset types, including HMIs, PLCs, RTUs, IEDs, data gateways, safety controllers, VPN servers, and switches. The strongest defensive value is in validating governance and evidence around firmware changes: who can initiate them, from where, with what authentication, using what integrity checks, and whether the SOC or OT team can reconstruct the event during an incident.

ATT&CK does not specify tactics, platforms, aliases, or official detection guidance for this sub-technique. Relationship descriptions provide mitigation context but not implementation details for specific vendors or devices. Local engineering knowledge is required to determine which assets support remote firmware updates, what logs exist, and which controls are feasible without disrupting operations.

Official MITRE ATT&CK definition

System Firmware

System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.

An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
ICS T1693 Modify Firmware This object subtechnique of Modify Firmware.
ICS T0857 System Firmware System Firmware revoked by this object.
Associated objects

Groups, software, and campaigns

Campaign ICS

C0063: 2025 Poland Wiper Attacks

2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]

Campaign ICS

C0041: FrostyGoop Incident

FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.[1][2]

Relationship explorer

All related ATT&CK context

targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS subtechnique of · Technique T1693: Modify Firmware ICS targets · ICS Asset A0009: Data Gateway ICS uses · Campaign C0028: 2015 Ukraine Electric Power Attack ICS targets · ICS Asset A0016: Firewall ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS mitigates · Mitigation M0804: Human User Authentication ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0808: Encrypt Network Traffic ICS uses · Campaign C0063: 2025 Poland Wiper Attacks ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS mitigates · Mitigation M0947: Audit ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS uses · Campaign C0041: FrostyGoop Incident ICS mitigates · Mitigation M0937: Filter Network Traffic ICS mitigates · Mitigation M0941: Encrypt Sensitive Information ICS mitigates · Mitigation M0801: Access Management ICS mitigates · Mitigation M0802: Communication Authenticity ICS mitigates · Mitigation M0930: Network Segmentation ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS mitigates · Mitigation M0807: Network Allowlists ICS revoked by · Technique T0857: System Firmware ICS
Mitigations

Mitigation direction

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Mitigation ICS

M0801: Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
55244e7df8cfaf3e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 55244e7df8cf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Basnight, Zachry, et al.

    Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17

    Open source URL
  2. [2]
    mitre-attack T1693.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use