title: Modify System Image (T1601)
id: df00tech-t1601
status: experimental
description: "This detection identifies adversary attempts to modify the operating system image of embedded network devices such as routers, switches, and firewalls. Adversaries may replace or patch the monolithic OS binary to weaken defenses, implant backdoors, or add new capabilities. Detection focuses on unauthorized TFTP/SCP image transfers to network devices, unexpected system image version changes logged via syslog, privilege escalation events on device management interfaces, and anomalous file copy operations on network management hosts. Both live in-memory modifications and persistent storage-based changes (applied on next boot) are targeted."
references:
  - https://attack.mitre.org/techniques/T1601/
  - https://df00tech.com/detections/T1601
author: df00tech
date: 2026/03/20
tags:
  - attack.t1601
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
  - "Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement"
  - Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
  - Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets
level: high