| ID | Name |
|---|---|
| T1474.001 | Compromise Software Dependencies and Development Tools |
| T1474.002 | Compromise Hardware Supply Chain |
| T1474.003 | Compromise Software Supply Chain |
Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system.
| ID | Mitigation | Description |
|---|---|---|
| M1001 | Security Updates |
Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0604 | Detection of Compromise Hardware Supply Chain | AN1653 |
The defender observes a newly enrolled or recently activated device presenting abnormal integrity, hardware-backed attestation, or firmware/build relationships at the management plane, followed by privileged or system-context access to protected resources or framework paths, and then outbound communication inconsistent with setup state, lock state, or recent user interaction. The causal sequence is strongest when the device has not yet reached a normal trusted posture but still exhibits system-level capability use or network activity. |
| AN1654 |
The defender observes a device at activation, supervision, or enrollment time with unusual management-plane posture, inventory, or trust characteristics and then relies primarily on downstream network effects and device state inconsistencies rather than direct low-level process telemetry. On iOS, the most reliable sequence is supervision/attestation or inventory concern near first contact followed by network egress or protected-state behavior that is inconsistent with lock state, setup phase, or expected managed app activity. |