name: AN-DET-11 FSW attestation state mismatch
details: |
  Detects unexpected on-board flight-software state changes by correlating accepted commands against
  the on-board attestation report. If FSW state or running image hash changes without a corresponding
  authorized command, the signature fires. Watches C&DH (SVC:HY:Hybrid:00) and the OBC boot
  firmware (AST:FW:Firmware:01). Implements AN-DET:11.
author: ethicallyHackingSpace
severity: critical
type: correlation
class: integrity_anomaly
status: stable
date: 2026-06-07
mitre-attack:
  - T1542
references:
  - https://csrc.nist.gov/publications/detail/sp/800-193/final
  - https://sparta.aerospace.org/technique/SPACE-T1014
tags:
  - meteorstorm.an-det.11
  - meteorstorm.tdm.svc-hy-hybrid-00
  - meteorstorm.tdm.ast-fw-firmware-01
  - sparta.SPACE-T1014
logsource:
  product: spacecraft_telemetry
  category: attestation
detection:
  selection_fsw_hash_change:
    attestation_hash|changed_since_last_pass: true
  selection_no_authorized_command:
    correlating_command_id: null
  condition: selection_fsw_hash_change and selection_no_authorized_command
falsepositives:
  - Approved FSW patch upload (correlate with patch-deploy ticket)
