1. Home
  2. Detection Strategies
  3. Firmware Modification via Flash Tool or Corrupted Firmware Upload

Firmware Modification via Flash Tool or Corrupted Firmware Upload

Technique Detected:  Firmware Corruption | T1495

ID: DET0167
Domains: Enterprise
Analytics: AN0474, AN0475, AN0476, AN0477
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0474

Firmware flash utility invoked with elevated privileges followed by raw access to firmware device path or changes to boot configuration.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Firmware Modification (DC0004) WinEventLog:Microsoft-Windows-Kernel-Boot Firmware integrity validation failed or boot configuration tampered
Mutable Elements
Field Description
ParentImage Common legitimate flash tool chains can be allowlisted
CommandLine Flags indicating silent or forced flash may vary

AN0475

Direct write access to /dev/mem or /sys/firmware combined with usage of firmware flashing utilities (e.g., flashrom).

Log Sources
Data Component Name Channel
Firmware Modification (DC0004) auditd:SYSCALL write access to /dev/mem or /sys/firmware/efi/efivars
Process Creation (DC0032) auditd:SYSCALL execution of known flash tools (e.g., flashrom, fwupd)
Mutable Elements
Field Description
ToolName Custom or renamed firmware tools may require pattern matching

AN0476

EFI updates executed via system processes or binaries outside of expected patch windows or using unsigned firmware packages.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog com.apple.firmwareupdater activity or update-firmware binary invoked
Firmware Modification (DC0004) macos:unifiedlog boot failure events or SMC validation errors
Mutable Elements
Field Description
UpdateTimeWindow Firmware updates usually occur after OS update; out-of-band patterns may indicate compromise

AN0477

Firmware image uploaded via TFTP/SCP or web interface followed by reboot or unexpected loss of connectivity.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow large upload to firmware interface port or path
Firmware Modification (DC0004) networkdevice:firmware Firmware update initiated or bootloader tampering detected
Mutable Elements
Field Description
UploadSizeThreshold Size of firmware images varies by vendor
RebootWindow Reboots outside of patch maintenance may be suspicious