Skip to content

Modify System Image

What is "Modify System Image"?

"Modify System Image" is a technique cataloged under the MITRE ATT&CK framework, specifically within the "Persistence" tactic. This technique involves an adversary making modifications to the operating system or firmware images of a device. These images are used for booting and operating the system, and changes to them can ensure persistence of malicious activity even after system reboots and updates.

How is "Modify System Image" executed?

  1. Identifying Target Images: The attacker first identifies the system or firmware images that are crucial for the device's boot process or regular operation. This could be BIOS, UEFI firmware, or specific system files on a disk image.

  2. Obtaining Access: The attacker needs write access to modify these images. This might involve gaining administrative privileges through other attack vectors such as exploitation of software vulnerabilities or credential theft.

  3. Modifying the Image: The modification can be done by directly editing the binary image files, injecting malicious code, or altering configuration settings within these files. Tools like hex editors, firmware modification kits, or custom scripts can be used.

  4. Persistence Mechanism Setup: By embedding malicious code into system images, attackers ensure that their payload persists across reboots and bypasses typical antivirus software detection methods which might not scan deeply into firmware layers or might trust inherently signed system files.

  5. Concealment: Techniques like obfuscation of the modified code or mimicking legitimate file hashes and signatures are often used to evade detection by security tools.

Where does "Modify System Image" typically apply?

This technique applies primarily in environments where devices rely heavily on firmware and specific OS images for operation—this includes not only personal computers but also embedded devices like routers, IoT devices, and even servers in data centers. It is particularly concerning in environments with high-value assets guarded by stringent security measures since it allows deep persistence that is hard to detect and remove.

Why use "Modify System Image"?

  1. Persistence: Modifying a system image provides a high level of persistence as it remains intact even after system upgrades or reinstalls unless specific measures are taken to reflash or replace the compromised images.

  2. Evasion: Many security programs do not adequately scan BIOS, UEFI, or other firmware layers; hence modifications here may go unnoticed longer than typical software-level persistence mechanisms.

  3. Control Over Host at a Fundamental Level: By modifying the system image, attackers can control aspects of the host machine's behavior from the very start of its boot process, potentially disabling security features before they initiate.

  4. Broad Impact: Since system images often apply uniformly across many systems (like all machines in a particular model line), one successful modification can potentially compromise all similar systems within an organization or consumer base.

In conclusion, "Modify System Image" is a sophisticated level of attack used primarily for deep persistence and stealthy operations targeting critical systems' operational foundations.