adpare
79 lines
4.7 KiB
JSON
79 lines
4.7 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--f372b599-8ec4-4b70-9eaa-53bac57ca2aa",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "x-mitre-analytic",
|
|
"id": "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b",
|
|
"created": "2025-10-21T15:10:28.402Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/detectionstrategies/DET0790#AN1922",
|
|
"external_id": "AN1922"
|
|
},
|
|
{
|
|
"source_name": "McAfee CHIPSEC Blog",
|
|
"description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.",
|
|
"url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"
|
|
},
|
|
{
|
|
"source_name": "MITRE Copernicus",
|
|
"description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.",
|
|
"url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"
|
|
},
|
|
{
|
|
"source_name": "Intel HackingTeam UEFI Rootkit",
|
|
"description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.",
|
|
"url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
|
|
},
|
|
{
|
|
"source_name": "Github CHIPSEC",
|
|
"description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.",
|
|
"url": "https://github.com/chipsec/chipsec"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2026-04-24T20:33:58.916Z",
|
|
"name": "Analytic 1922",
|
|
"description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "1.1",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"ics-attack"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"None"
|
|
],
|
|
"x_mitre_log_source_references": [
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
|
|
"name": "Operational Databases",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
|
|
"name": "Application Log",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
|
|
"name": "Network Traffic",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
|
|
"name": "Firmware",
|
|
"channel": "None"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
} |