Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Defense Evasion
  4. >ATTACK-T1601.001
ATTACK-T1601.001Active

Patch System Image

Statement

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.

To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.

To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.

In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the ROMMONkit method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.

By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via Weaken Encryption, authentication, via Network Device Authentication, and perimeter defenses, via Network Boundary Bridging. Adding new capabilities for the adversary’s purpose include Keylogging, Multi-hop Proxy, and Port Knocking.

Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with Downgrade System Image, one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade.

When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via TFTP Boot.

When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with ROMMONkit to achieve persistence.

Location

Tactic
Defense Evasion

Technique Details

Identifier
ATTACK-T1601.001
Parent Technique
ATTACK-T1601
ATT&CK Page
View on MITRE

Tactics

Defense Evasion

Platforms

Network Devices

Detection

Detection Strategy for Patch System Image on Network Devices

Mitigations

Boot Integrity: Boot Integrity ensures that a system starts securely by verifying the integrity of its boot process, operating system, and associated components. This mitigation focuses on leveraging secure boot mechanisms, hardware-rooted trust, and runtime integrity checks to prevent tampering during the boot sequence. It is designed to thwart adversaries attempting to modify system firmware, bootloaders, or critical OS components. This mitigation can be implemented through the following measures:

Implementation of Secure Boot:

  • Implementation: Enable UEFI Secure Boot on all systems and configure it to allow only signed bootloaders and operating systems.
  • Use Case: An adversary attempts to replace the system’s bootloader with a malicious version to gain persistence. Secure Boot prevents the untrusted bootloader from executing, halting the attack.

Utilization of TPMs:

  • Implementation: Configure systems to use TPM-based attestation for boot integrity, ensuring that any modification to the firmware, bootloader, or OS is detected.
  • Use Case: A compromised firmware component alters the boot sequence. The TPM detects the change and triggers an alert, allowing the organization to respond before further damage.

Enable Bootloader Passwords:

  • Implementation: Protect BIOS/UEFI settings with a strong password and limit physical access to devices.
  • Use Case: An attacker with physical access attempts to disable Secure Boot or modify the boot sequence. The password prevents unauthorized changes.

Runtime Integrity Monitoring:

  • Implementation: Deploy solutions to verify the integrity of critical files and processes after boot.
  • Use Case: A malware infection modifies kernel modules post-boot. Runtime integrity monitoring detects the modification and prevents the malicious module from loading.

Code Signing: Code Signing is a security process that ensures the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts. It prevents untrusted or malicious code from executing by verifying the digital signatures against trusted sources. Code signing protects against tampering, impersonation, and distribution of unauthorized or malicious software, forming a critical defense against supply chain and software exploitation attacks. This mitigation can be implemented through the following measures:

Enforce Signed Code Execution:

  • Implementation: Configure operating systems (e.g., Windows with AppLocker or Linux with Secure Boot) to allow only signed code to execute.
  • Use Case: Prevent the execution of malicious PowerShell scripts by requiring all scripts to be signed with a trusted certificate.

Vendor-Signed Driver Enforcement:

  • Implementation: Enable kernel-mode code signing to ensure that only drivers signed by trusted vendors can be loaded.
  • Use Case: A malicious driver attempting to modify system memory fails to load because it lacks a valid signature.

Certificate Revocation Management:

  • Implementation: Use Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to block certificates associated with compromised or deprecated code.
  • Use Case: A compromised certificate used to sign a malicious update is revoked, preventing further execution of the software.

Third-Party Software Verification:

  • Implementation: Require software from external vendors to be signed with valid certificates before deployment.
  • Use Case: An organization only deploys signed and verified third-party software to prevent supply chain attacks.

Script Integrity in CI/CD Pipelines:

  • Implementation: Integrate code signing into CI/CD pipelines to sign and verify code artifacts before production release.
  • Use Case: A software company ensures that all production builds are signed, preventing tampered builds from reaching customers.

Key Components of Code Signing

  • Digital Signature Verification: Verifies the authenticity of code by ensuring it was signed by a trusted entity.
  • Certificate Management: Uses Public Key Infrastructure (PKI) to manage signing certificates and revocation lists.
  • Enforced Policy for Unsigned Code: Prevents the execution of unsigned or untrusted binaries and scripts.
  • Hash Integrity Check: Confirms that code has not been altered since signing by comparing cryptographic hashes.

Credential Access Protection: Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity. This mitigation can be implemented through the following measures:

Restrict Access to Credential Storage:

  • Use Case: Prevent adversaries from accessing the SAM (Security Account Manager) database on Windows systems.
  • Implementation: Enforce least privilege principles and restrict administrative access to credential stores such as C:\Windows\System32\config\SAM.

Use Credential Guard:

  • Use Case: Isolate LSASS (Local Security Authority Subsystem Service) memory to prevent credential dumping.
  • Implementation: Enable Windows Defender Credential Guard on enterprise endpoints to isolate secrets and protect them from unauthorized access.

Monitor for Credential Dumping Tools:

  • Use Case: Detect and block known tools like Mimikatz or Windows Credential Editor.
  • Implementation: Flag suspicious process behavior related to credential dumping.

Disable Cached Credentials:

  • Use Case: Prevent adversaries from exploiting cached credentials on endpoints.
  • Implementation: Configure group policy to reduce or eliminate the use of cached credentials (e.g., set Interactive logon: Number of previous logons to cache to 0).

Enable Secure Boot and Memory Protections:

  • Use Case: Prevent memory-based attacks used to extract credentials.
  • Implementation: Configure Secure Boot and enforce hardware-based security features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Privileged Account Management: Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Multi-factor Authentication: Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

  • Something you know: Passwords, PINs.
  • Something you have: Physical tokens, smartphone authenticator apps.
  • Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.

Password Policies: Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

  • Use Group Policy Management Console (GPMC) to configure:
    • Minimum password length (e.g., 12+ characters).
    • Password complexity requirements.
    • Password history (e.g., disallow last 24 passwords).
    • Account lockout duration and thresholds.

Linux Systems:

  • Configure Pluggable Authentication Modules (PAM):
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.

Password Managers:

  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

Tools for Implementation

Windows:

  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.

Cross-Platform:

  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
SP 800-53
SP800-53-AC-2relatedvia ctid-attack-to-sp800-53
SP800-53-AC-3relatedvia ctid-attack-to-sp800-53
SP800-53-AC-4relatedvia ctid-attack-to-sp800-53
SP800-53-AC-5relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Defense Evasion
Defense Evasion183 controls
ATTACK-T1006Direct Volume AccessATTACK-T1014RootkitATTACK-T1027Obfuscated Files or InformationATTACK-T1027.001Binary PaddingATTACK-T1027.002Software PackingATTACK-T1027.003SteganographyATTACK-T1027.004Compile After DeliveryATTACK-T1027.005Indicator Removal from ToolsATTACK-T1027.006HTML SmugglingATTACK-T1027.007Dynamic API ResolutionATTACK-T1027.008Stripped PayloadsATTACK-T1027.009Embedded PayloadsATTACK-T1027.010Command ObfuscationATTACK-T1027.011Fileless StorageATTACK-T1027.012LNK Icon SmugglingATTACK-T1027.013Encrypted/Encoded FileATTACK-T1027.014Polymorphic CodeATTACK-T1027.015CompressionATTACK-T1027.016Junk Code InsertionATTACK-T1027.017SVG SmugglingATTACK-T1036MasqueradingATTACK-T1036.001Invalid Code SignatureATTACK-T1036.002Right-to-Left OverrideATTACK-T1036.003Rename Legitimate UtilitiesATTACK-T1036.004Masquerade Task or ServiceATTACK-T1036.005Match Legitimate Resource Name or LocationATTACK-T1036.006Space after FilenameATTACK-T1036.007Double File ExtensionATTACK-T1036.008Masquerade File TypeATTACK-T1036.009Break Process TreesATTACK-T1036.010Masquerade Account NameATTACK-T1036.011Overwrite Process ArgumentsATTACK-T1036.012Browser FingerprintATTACK-T1055Process InjectionATTACK-T1055.001Dynamic-link Library InjectionATTACK-T1055.002Portable Executable InjectionATTACK-T1055.003Thread Execution HijackingATTACK-T1055.004Asynchronous Procedure CallATTACK-T1055.005Thread Local StorageATTACK-T1055.008Ptrace System CallsATTACK-T1055.009Proc MemoryATTACK-T1055.011Extra Window Memory InjectionATTACK-T1055.012Process HollowingATTACK-T1055.013Process DoppelgängingATTACK-T1055.014VDSO HijackingATTACK-T1055.015ListPlantingATTACK-T1070Indicator RemovalATTACK-T1070.001Clear Windows Event LogsATTACK-T1070.002Clear Linux or Mac System LogsATTACK-T1070.003Clear Command HistoryATTACK-T1070.004File DeletionATTACK-T1070.005Network Share Connection RemovalATTACK-T1070.006TimestompATTACK-T1070.007Clear Network Connection History and ConfigurationsATTACK-T1070.008Clear Mailbox DataATTACK-T1070.009Clear PersistenceATTACK-T1070.010Relocate MalwareATTACK-T1078Valid AccountsATTACK-T1078.001Default AccountsATTACK-T1078.002Domain AccountsATTACK-T1078.003Local AccountsATTACK-T1078.004Cloud AccountsATTACK-T1112Modify RegistryATTACK-T1127Trusted Developer Utilities Proxy ExecutionATTACK-T1127.001MSBuildATTACK-T1127.002ClickOnceATTACK-T1127.003JamPlusATTACK-T1134Access Token ManipulationATTACK-T1134.001Token Impersonation/TheftATTACK-T1134.002Create Process with TokenATTACK-T1134.003Make and Impersonate TokenATTACK-T1134.004Parent PID SpoofingATTACK-T1134.005SID-History InjectionATTACK-T1140Deobfuscate/Decode Files or InformationATTACK-T1197BITS JobsATTACK-T1202Indirect Command ExecutionATTACK-T1205Traffic SignalingATTACK-T1205.001Port KnockingATTACK-T1205.002Socket FiltersATTACK-T1207Rogue Domain ControllerATTACK-T1211Exploitation for Defense EvasionATTACK-T1216System Script Proxy ExecutionATTACK-T1216.001PubPrnATTACK-T1216.002SyncAppvPublishingServerATTACK-T1218System Binary Proxy ExecutionATTACK-T1218.001Compiled HTML FileATTACK-T1218.002Control PanelATTACK-T1218.003CMSTPATTACK-T1218.004InstallUtilATTACK-T1218.005MshtaATTACK-T1218.007MsiexecATTACK-T1218.008OdbcconfATTACK-T1218.009Regsvcs/RegasmATTACK-T1218.010Regsvr32ATTACK-T1218.011Rundll32ATTACK-T1218.012VerclsidATTACK-T1218.013MavinjectATTACK-T1218.014MMCATTACK-T1218.015Electron ApplicationsATTACK-T1220XSL Script ProcessingATTACK-T1221Template InjectionATTACK-T1222File and Directory Permissions ModificationATTACK-T1222.001Windows File and Directory Permissions ModificationATTACK-T1222.002Linux and Mac File and Directory Permissions ModificationATTACK-T1480Execution GuardrailsATTACK-T1480.001Environmental KeyingATTACK-T1480.002Mutual ExclusionATTACK-T1484Domain or Tenant Policy ModificationATTACK-T1484.001Group Policy ModificationATTACK-T1484.002Trust ModificationATTACK-T1497Virtualization/Sandbox EvasionATTACK-T1497.001System ChecksATTACK-T1497.002User Activity Based ChecksATTACK-T1497.003Time Based ChecksATTACK-T1535Unused/Unsupported Cloud RegionsATTACK-T1542Pre-OS BootATTACK-T1542.004ROMMONkitATTACK-T1542.005TFTP BootATTACK-T1548.006TCC ManipulationATTACK-T1550Use Alternate Authentication MaterialATTACK-T1550.001Application Access TokenATTACK-T1550.002Pass the HashATTACK-T1550.003Pass the TicketATTACK-T1550.004Web Session CookieATTACK-T1553Subvert Trust ControlsATTACK-T1553.001Gatekeeper BypassATTACK-T1553.002Code SigningATTACK-T1553.003SIP and Trust Provider HijackingATTACK-T1553.004Install Root CertificateATTACK-T1553.005Mark-of-the-Web BypassATTACK-T1553.006Code Signing Policy ModificationATTACK-T1562Impair DefensesATTACK-T1562.001Disable or Modify ToolsATTACK-T1562.002Disable Windows Event LoggingATTACK-T1562.003Impair Command History LoggingATTACK-T1562.004Disable or Modify System FirewallATTACK-T1562.006Indicator BlockingATTACK-T1562.007Disable or Modify Cloud FirewallATTACK-T1562.008Disable or Modify Cloud LogsATTACK-T1562.009Safe Mode BootATTACK-T1562.010Downgrade AttackATTACK-T1562.011Spoof Security AlertingATTACK-T1562.012Disable or Modify Linux Audit SystemATTACK-T1562.013Disable or Modify Network Device FirewallATTACK-T1564Hide ArtifactsATTACK-T1564.001Hidden Files and DirectoriesATTACK-T1564.002Hidden UsersATTACK-T1564.003Hidden WindowATTACK-T1564.004NTFS File AttributesATTACK-T1564.005Hidden File SystemATTACK-T1564.006Run Virtual InstanceATTACK-T1564.007VBA StompingATTACK-T1564.008Email Hiding RulesATTACK-T1564.009Resource ForkingATTACK-T1564.010Process Argument SpoofingATTACK-T1564.011Ignore Process InterruptsATTACK-T1564.012File/Path ExclusionsATTACK-T1564.013Bind MountsATTACK-T1564.014Extended AttributesATTACK-T1578Modify Cloud Compute InfrastructureATTACK-T1578.001Create SnapshotATTACK-T1578.002Create Cloud InstanceATTACK-T1578.003Delete Cloud InstanceATTACK-T1578.004Revert Cloud InstanceATTACK-T1578.005Modify Cloud Compute ConfigurationsATTACK-T1599Network Boundary BridgingATTACK-T1599.001Network Address Translation TraversalATTACK-T1600Weaken EncryptionATTACK-T1600.001Reduce Key SpaceATTACK-T1600.002Disable Crypto HardwareATTACK-T1601Modify System ImageATTACK-T1601.001Patch System ImageATTACK-T1601.002Downgrade System ImageATTACK-T1610Deploy ContainerATTACK-T1612Build Image on HostATTACK-T1620Reflective Code LoadingATTACK-T1622Debugger EvasionATTACK-T1647Plist File ModificationATTACK-T1656ImpersonationATTACK-T1666Modify Cloud Resource HierarchyATTACK-T1672Email SpoofingATTACK-T1678Delay ExecutionATTACK-T1679Selective Exclusion