T1542.004

ROMMONkit

Adversaries may abuse the ROM Monitor (ROMMON) by loading unauthorized firmware with adversary code to provide persistent access and manipulate Cisco network device behavior in a way that is extremely difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely via TFTP with adversary code and restart the device to overwrite the existing ROMMON image. This provides persistence that survives IOS upgrades and standard remediation, and has been observed in the wild via the SYNful Knock implant campaign targeting Cisco ISR routers. Because ROMMON executes before the operating system loads, malicious code embedded at this layer can intercept and modify IOS behavior, inject backdoors, and evade integrity checks.

Microsoft Sentinel / Defender

kusto

// T1542.004 — ROMMONkit: Detect ROMMON/boot firmware manipulation on Cisco network devices
// Requires Cisco device syslog forwarded to Microsoft Sentinel via Syslog or CommonSecurityLog
// Covers: TFTP image transfers to devices, ROMMON variable changes, boot system modifications, unexpected reloads
let RommonKeywords = dynamic([
    "ROMMON", "rommon", "rom monitor",
    "boot loader", "bootldr", "BOOT variable",
    "confreg", "CONFREG", "config-register",
    "0x2142", "0x0", "0x2100"
]);
let TFTPKeywords = dynamic([
    "tftp", "TFTP",
    "copy tftp", "archive download-sw",
    "upgrade rom-monitor", "upgrade rommon"
]);
let ReloadKeywords = dynamic([
    "SYS-5-RELOAD", "Reload requested",
    "SYS-6-BOOTTIME", "restarted"
]);
let BootConfigKeywords = dynamic([
    "boot system", "BOOT path-list",
    "Configured from", "startup-config"
]);
// Primary: Syslog table (Cisco devices forwarding via rsyslog/syslog)
let SyslogDetections = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (RommonKeywords)
    or SyslogMessage has_any (TFTPKeywords)
    or (SyslogMessage has_any (ReloadKeywords) and SyslogMessage has_any (BootConfigKeywords))
| extend IsRommonChange = SyslogMessage has_any (RommonKeywords)
| extend IsTFTPTransfer = SyslogMessage has_any (TFTPKeywords)
| extend IsReload = SyslogMessage has_any (ReloadKeywords)
| extend IsBootVarChange = SyslogMessage has_any (BootConfigKeywords)
| extend DeviceIdentifier = coalesce(HostName, Computer)
| project TimeGenerated, DeviceIdentifier, SyslogMessage, SeverityLevel,
          IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, LogSource="Syslog";
// Secondary: CommonSecurityLog (CEF-formatted Cisco logs via AMA or legacy agent)
let CSLDetections = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor =~ "Cisco"
| where Message has_any (RommonKeywords)
    or Message has_any (TFTPKeywords)
    or (Message has_any (ReloadKeywords) and Message has_any (BootConfigKeywords))
| extend IsRommonChange = Message has_any (RommonKeywords)
| extend IsTFTPTransfer = Message has_any (TFTPKeywords)
| extend IsReload = Message has_any (ReloadKeywords)
| extend IsBootVarChange = Message has_any (BootConfigKeywords)
| extend DeviceIdentifier = coalesce(DeviceName, Computer)
| project TimeGenerated, DeviceIdentifier, SyslogMessage=Message, SeverityLevel=tostring(LogSeverity),
          IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, LogSource="CommonSecurityLog";
SyslogDetections
| union CSLDetections
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Traffic: Network Traffic Content Cisco IOS Syslog CEF/CommonSecurityLog from Cisco devices

Required Tables

Syslog CommonSecurityLog

False Positives

Legitimate ROMMON upgrades performed by network engineering teams during planned maintenance windows — correlate against change management tickets
Authorized IOS image upgrades via TFTP during software lifecycle management cycles that log BOOT variable changes
Network device password recovery procedures using confreg 0x2142 performed by authorized administrators
Automated configuration management platforms (Cisco DNA Center, RANCID, Oxidized) that perform TFTP-based image pushes as part of normal operations

Splunk

spl

| union
  [ search index=network sourcetype=cisco:ios earliest=-24h
    ("ROMMON" OR "rommon" OR "rom monitor" OR "bootldr" OR "BOOT variable" OR "confreg" OR "config-register" OR "0x2142")
    OR ("tftp" OR "TFTP" OR "copy tftp" OR "archive download-sw" OR "upgrade rom-monitor")
    OR ("SYS-5-RELOAD" OR "Reload requested" AND ("boot system" OR "BOOT path-list")) ],
  [ search index=network sourcetype=syslog earliest=-24h
    (host="*router*" OR host="*switch*" OR host="*cisco*" OR host="*rtr*" OR host="*sw*")
    ("ROMMON" OR "rommon" OR "tftp" OR "TFTP" OR "upgrade rom-monitor" OR "SYS-5-RELOAD" OR "confreg") ]
| eval DeviceHost=coalesce(host, dvc)
| eval IsRommonChange=if(match(lower(_raw), "rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142"), 1, 0)
| eval IsTFTPTransfer=if(match(lower(_raw), "tftp|copy tftp|archive download-sw|upgrade rom-monitor"), 1, 0)
| eval IsReload=if(match(_raw, "SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME"), 1, 0)
| eval IsBootVarChange=if(match(lower(_raw), "boot system|boot path-list|startup-config"), 1, 0)
| eval SuspicionScore=IsRommonChange + IsTFTPTransfer + IsReload + IsBootVarChange
| where SuspicionScore > 0
| table _time, DeviceHost, sourcetype, _raw, IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, SuspicionScore
| sort - _time

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Cisco IOS Syslog Network Syslog

Required Sourcetypes

cisco:ios syslog

False Positives

Legitimate ROMMON upgrades performed by network engineering teams during planned maintenance windows — correlate against change management tickets
Authorized IOS image upgrades via TFTP during software lifecycle management cycles that log BOOT variable changes
Network device password recovery procedures using confreg 0x2142 performed by authorized administrators
Automated configuration management platforms (Cisco DNA Center, RANCID, Oxidized) that perform TFTP-based image pushes as part of normal operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS DeviceIP,
  "devicehostname" AS DeviceHostname,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  "utf8(payload)" AS RawMessage,
  CASE
    WHEN LOWER("utf8(payload)") MATCHES '.*rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142.*' THEN 1
    ELSE 0
  END AS IsRommonChange,
  CASE
    WHEN LOWER("utf8(payload)") MATCHES '.*tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon.*' THEN 1
    ELSE 0
  END AS IsTFTPTransfer,
  CASE
    WHEN "utf8(payload)" MATCHES '.*(SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME).*' THEN 1
    ELSE 0
  END AS IsReload,
  CASE
    WHEN LOWER("utf8(payload)") MATCHES '.*(boot system|boot path-list|startup-config).*' THEN 1
    ELSE 0
  END AS IsBootVarChange,
  (
    CASE WHEN LOWER("utf8(payload)") MATCHES '.*rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142.*' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("utf8(payload)") MATCHES '.*tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon.*' THEN 1 ELSE 0 END +
    CASE WHEN "utf8(payload)" MATCHES '.*(SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME).*' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("utf8(payload)") MATCHES '.*(boot system|boot path-list|startup-config).*' THEN 1 ELSE 0 END
  ) AS SuspicionScore
FROM events
WHERE
  devicetime > (NOW() - 86400000)
  AND (
    LOGSOURCETYPENAME(devicetype) ILIKE '%cisco%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%syslog%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%network%'
  )
  AND (
    LOWER("utf8(payload)") MATCHES '.*rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142|0x2100.*'
    OR LOWER("utf8(payload)") MATCHES '.*tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon.*'
    OR "utf8(payload)" MATCHES '.*(SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME).*'
  )
ORDER BY devicetime DESC

critical severity medium confidence

Data Sources

Cisco IOS log source (QRadar DSM for Cisco IOS) Syslog generic log source Cisco ASA log source

Required Tables

events (QRadar normalized event store)

False Positives

Planned ROMMON upgrade during a formal change management window — verify against the organization's change calendar before escalating
TFTP-based IOS image distribution from a known software management server (e.g., Cisco Prime Infrastructure, DNA Center) pulling to multiple devices simultaneously
Network monitoring scripts that issue 'show boot' or 'show version' commands via SNMP or CLI, which may log BOOT path-list output matching keyword patterns

Sumo Logic CSE

sql

// T1542.004 — ROMMONkit: Cisco network device firmware manipulation
// Searches network device syslog for ROMMON, TFTP, reload, and boot config indicators
(_sourceCategory="network/cisco/ios" OR _sourceCategory="network/syslog" OR _sourceCategory="network/router")
| where (%"message" matches "(?i)rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142|0x2100"
  OR %"message" matches "(?i)tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon"
  OR (%"message" matches "SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME"
      AND %"message" matches "(?i)boot system|boot path-list|startup-config"))
| if (matches(%"message", "(?i)rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142"), 1, 0) as IsRommonChange
| if (matches(%"message", "(?i)tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon"), 1, 0) as IsTFTPTransfer
| if (matches(%"message", "SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME"), 1, 0) as IsReload
| if (matches(%"message", "(?i)boot system|boot path-list|startup-config"), 1, 0) as IsBootVarChange
| IsRommonChange + IsTFTPTransfer + IsReload + IsBootVarChange as SuspicionScore
| where SuspicionScore > 0
| fields _messagetime, _sourceHost, _sourceCategory, %"message", IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, SuspicionScore
| sort by _messagetime desc

critical severity medium confidence

Data Sources

Cisco IOS syslog (via Sumo Logic Installed Collector or HTTP Source) Generic network device syslog Cisco ASA syslog

Required Tables

Sumo Logic partition: network/cisco/ios Sumo Logic partition: network/syslog

False Positives

Authorized ROMMON upgrade procedures performed by network administrators — suppress by adding a lookup table of approved maintenance windows or by allowlisting the management station IP
Cisco DNA Center or Prime Infrastructure pushing IOS-XE image bundles via TFTP, which may generate TFTP and boot system log entries simultaneously on multiple devices
Network device scripted health checks (e.g., Ansible playbooks running 'show boot' or 'show rom-monitor') that cause devices to log their current BOOT variable state

Google Chronicle / SecOps

yaral

rule t1542_004_rommonkit_cisco_firmware_manipulation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects ROMMONkit activity (T1542.004) — ROMMON firmware manipulation on Cisco network devices via syslog indicators including TFTP firmware transfers, ROMMON variable changes, config-register modifications, and suspicious reloads correlated with boot path changes."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1542.004"
    reference = "https://attack.mitre.org/techniques/T1542/004/"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "GENERIC_EVENT"
    $e.metadata.vendor_name = "Cisco"
    (
      re.regex($e.metadata.description, `(?i)(rommon|rom\s+monitor|bootldr|boot\s+variable|confreg|config-register|0x2142|0x2100|0x0)`)
      or re.regex($e.metadata.description, `(?i)(tftp|copy\s+tftp|archive\s+download-sw|upgrade\s+rom-monitor|upgrade\s+rommon)`)
      or (
        re.regex($e.metadata.description, `(SYS-5-RELOAD|Reload\s+requested|SYS-6-BOOTTIME)`)
        and re.regex($e.metadata.description, `(?i)(boot\s+system|BOOT\s+path-list|startup-config)`)
      )
    )

  condition:
    $e
}

critical severity medium confidence

Data Sources

Cisco IOS syslog (Chronicle Cisco IOS log parser) Cisco ASA syslog (Chronicle Cisco ASA log parser) Generic syslog from network devices (Chronicle SYSLOG log parser)

Required Tables

UDM GENERIC_EVENT log type (Cisco vendor)

False Positives

Legitimate ROMMON upgrades performed during scheduled maintenance — Cisco TAC-recommended ROMMON updates generate identical syslog messages; verify against an approved change record
Bulk IOS software upgrades via Cisco Smart Install or TFTP-based provisioning that trigger multiple TFTP and boot system messages across many devices simultaneously
Password recovery procedures performed on routers by network admins using config-register 0x2142 — a standard Cisco recovery technique that triggers the confreg/config-register keywords

CrowdStrike LogScale (CQL)

cql

// T1542.004 — ROMMONkit: Network device ROMMON firmware manipulation
// CrowdStrike Falcon LogScale — targets network device syslog forwarded via Falcon LogScale collector
// or via syslog forwarder integration

#repo="network_devices" OR #repo="syslog" OR #vendor="cisco"
| regex(field="@rawstring", regex="(?i)(rommon|rom\s+monitor|bootldr|boot\s+variable|confreg|config-register|0x2142|0x2100|upgrade\s+rom-monitor|upgrade\s+rommon|copy\s+tftp|archive\s+download-sw|SYS-5-RELOAD|Reload\s+requested)", strict=false)
| eval(
    IsRommonChange = if(match(lower(@rawstring), /rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142/), "1", "0"),
    IsTFTPTransfer = if(match(lower(@rawstring), /tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon/), "1", "0"),
    IsReload = if(match(@rawstring, /SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME/), "1", "0"),
    IsBootVarChange = if(match(lower(@rawstring), /boot system|boot path-list|startup-config/), "1", "0")
  )
| eval(
    SuspicionScore = toint(IsRommonChange) + toint(IsTFTPTransfer) + toint(IsReload) + toint(IsBootVarChange)
  )
| where SuspicionScore > 0
| table([_timeparsed, host, #repo, @rawstring, IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, SuspicionScore])
| sort(field="_timeparsed", order="desc")

critical severity medium confidence

Data Sources

Network device syslog forwarded to Falcon LogScale via syslog forwarder or Falcon LogScale Collector Cisco IOS syslog (custom repository or #repo tag) Generic network syslog events

Required Tables

LogScale repository: network_devices LogScale repository: syslog

False Positives

Authorized ROMMON firmware upgrades initiated by the network operations team — cross-reference alert timing against the change management system (ServiceNow, Jira) before escalating
Cisco IOS software upgrades using the 'archive download-sw' command which triggers the TFTP transfer pattern but is a standard upgrade mechanism when performed from an approved server
Router password recovery procedures using config-register 0x2142 performed by IT staff — common procedure after administrative credential loss; verify against a helpdesk ticket

Last updated: 2026-04-20 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1542.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.001System Firmware T1542.002Component Firmware T1542.003Bootkit T1542.005TFTP Boot

ROMMONkit

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections