name: AN-DET-02 Management-plane firmware push abuse
details: |
  Detects firmware-push and configuration-deploy operations on the ground-station device management plane
  outside authorized maintenance windows. Pattern follows the KA-SAT incident (28 February 2022) where the
  modem management interface was abused to push AcidRain wiper firmware. Implements AN-DET:02 from the
  METEORSTORM AN-DET layer.
author: ethicallyHackingSpace
severity: critical
type: query
class: defense_evasion
status: stable
date: 2026-06-07
mitre-attack:
  - T1542.005
  - T1059
references:
  - https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a
  - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
  - https://github.com/MISP/misp-taxonomies/tree/main/meteorstorm
tags:
  - meteorstorm.an-det.02
  - meteorstorm.tdm.svc-cp-control-plane-09
  - meteorstorm.tdm.ast-da-data-02
  - meteorstorm.tdm.ast-sw-software-03
  - attack.impact
  - attack.persistence
logsource:
  product: ground_segment_mgmt_plane
  category: audit
detection:
  selection_firmware_op:
    event_action|contains:
      - "firmware_push"
      - "config_deploy"
      - "image_install"
  selection_outside_window:
    maintenance_window: false
  selection_target:
    target_device|contains: "modem"
  condition: selection_firmware_op and selection_outside_window and selection_target
falsepositives:
  - Emergency change with documented incident reference
  - Authorized red-team exercise
