{ "type": "bundle", "id": "bundle--f372b599-8ec4-4b70-9eaa-53bac57ca2aa", "spec_version": "2.0", "objects": [ { "type": "x-mitre-analytic", "id": "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0790#AN1922", "external_id": "AN1922" }, { "source_name": "McAfee CHIPSEC Blog", "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" }, { "source_name": "MITRE Copernicus", "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" }, { "source_name": "Intel HackingTeam UEFI Rootkit", "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" }, { "source_name": "Github CHIPSEC", "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", "url": "https://github.com/chipsec/chipsec" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-04-24T20:33:58.916Z", "name": "Analytic 1922", "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_platforms": [ "None" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "name": "Operational Databases", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "Application Log", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "Network Traffic", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "name": "Firmware", "channel": "None" } ] } ] }