name: AN-DET-12 Firmware hash mismatch at integration
details: |
  Detects supply-chain firmware tampering at integration by comparing measured hash against the
  signed vendor-supplied expected value. Fires for FTS firmware (AST:FW:Firmware:00), OBC firmware
  (AST:FW:Firmware:01), and payload firmware (AST:FW:Firmware:02). Implements AN-DET:12. Primary
  control is measured-boot attestation (AN-RES:12).
author: ethicallyHackingSpace
severity: critical
type: query
class: supply_chain
status: stable
date: 2026-06-07
mitre-attack:
  - T1195.002
references:
  - https://csrc.nist.gov/publications/detail/sp/800-193/final
  - https://slsa.dev/
tags:
  - meteorstorm.an-det.12
  - meteorstorm.tdm.ast-fw-firmware-00
  - meteorstorm.tdm.ast-fw-firmware-01
  - meteorstorm.tdm.ast-fw-firmware-02
  - attack.supply-chain
logsource:
  product: hardware_integration_lab
  category: attestation
detection:
  selection_hash_mismatch:
    measured_hash|neq: expected_hash
  selection_component|in:
    component_id:
      - "fts-firmware"
      - "obc-firmware"
      - "payload-firmware"
  condition: selection_hash_mismatch and selection_component
falsepositives:
  - Approved vendor build with updated signed manifest (verify provenance chain)
