T1542.004 IBM QRadar · QRadar

Detect ROMMONkit in IBM QRadar

Adversaries may abuse the ROM Monitor (ROMMON) by loading unauthorized firmware with adversary code to provide persistent access and manipulate Cisco network device behavior in a way that is extremely difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely via TFTP with adversary code and restart the device to overwrite the existing ROMMON image. This provides persistence that survives IOS upgrades and standard remediation, and has been observed in the wild via the SYNful Knock implant campaign targeting Cisco ISR routers. Because ROMMON executes before the operating system loads, malicious code embedded at this layer can intercept and modify IOS behavior, inject backdoors, and evade integrity checks.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1542 Pre-OS Boot
Sub-technique
T1542.004 ROMMONkit
Canonical reference
https://attack.mitre.org/techniques/T1542/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS DeviceIP,
  "devicehostname" AS DeviceHostname,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  "utf8(payload)" AS RawMessage,
  CASE
    WHEN LOWER("utf8(payload)") MATCHES '.*rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142.*' THEN 1
    ELSE 0
  END AS IsRommonChange,
  CASE
    WHEN LOWER("utf8(payload)") MATCHES '.*tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon.*' THEN 1
    ELSE 0
  END AS IsTFTPTransfer,
  CASE
    WHEN "utf8(payload)" MATCHES '.*(SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME).*' THEN 1
    ELSE 0
  END AS IsReload,
  CASE
    WHEN LOWER("utf8(payload)") MATCHES '.*(boot system|boot path-list|startup-config).*' THEN 1
    ELSE 0
  END AS IsBootVarChange,
  (
    CASE WHEN LOWER("utf8(payload)") MATCHES '.*rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142.*' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("utf8(payload)") MATCHES '.*tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon.*' THEN 1 ELSE 0 END +
    CASE WHEN "utf8(payload)" MATCHES '.*(SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME).*' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("utf8(payload)") MATCHES '.*(boot system|boot path-list|startup-config).*' THEN 1 ELSE 0 END
  ) AS SuspicionScore
FROM events
WHERE
  devicetime > (NOW() - 86400000)
  AND (
    LOGSOURCETYPENAME(devicetype) ILIKE '%cisco%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%syslog%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%network%'
  )
  AND (
    LOWER("utf8(payload)") MATCHES '.*rommon|rom monitor|bootldr|boot variable|confreg|config-register|0x2142|0x2100.*'
    OR LOWER("utf8(payload)") MATCHES '.*tftp|copy tftp|archive download-sw|upgrade rom-monitor|upgrade rommon.*'
    OR "utf8(payload)" MATCHES '.*(SYS-5-RELOAD|Reload requested|SYS-6-BOOTTIME).*'
  )
ORDER BY devicetime DESC
critical severity medium confidence

QRadar AQL rule targeting Cisco IOS and generic syslog sources for ROMMONkit (T1542.004) indicators. Scores each event across four dimensions: ROMMON variable manipulation, TFTP firmware transfers, device reload events, and boot path configuration changes. Events with any positive score are surfaced, with the SuspicionScore field enabling downstream correlation rules to fire on multi-indicator events.

Data Sources

Cisco IOS log source (QRadar DSM for Cisco IOS)Syslog generic log sourceCisco ASA log source

Required Tables

events (QRadar normalized event store)

False Positives & Tuning

  • Planned ROMMON upgrade during a formal change management window — verify against the organization's change calendar before escalating
  • TFTP-based IOS image distribution from a known software management server (e.g., Cisco Prime Infrastructure, DNA Center) pulling to multiple devices simultaneously
  • Network monitoring scripts that issue 'show boot' or 'show version' commands via SNMP or CLI, which may log BOOT path-list output matching keyword patterns
Download portable Sigma rule (.yml)

Other platforms for T1542.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Verify Current ROMMON Version and Boot Variables

    Expected signal: Cisco IOS syslog: `%SYS-6-PRIVCMD` (if privilege accounting enabled) for each privileged exec command. TACACS+ accounting records for the enable session and each show command. AAA accounting logs showing the source IP and username. No TFTP or reload events generated.

  2. Test 2TFTP Image Transfer to Network Device (Lab Only)

    Expected signal: Cisco IOS syslog: `%TFTP-6-TRANSFER: Received 1234 bytes` or `%COPY-5-UPROMPRMT: 1234 bytes copied in 2.345 secs`. CommonSecurityLog/Syslog in SIEM will show the TFTP transfer message with source IP 192.168.100.99. TACACS+ accounting logs the `copy tftp` command with source IP. NetFlow captures UDP/69 session from 192.168.100.99 to device management IP.

  3. Test 3Configuration Register Modification (Lab Only)

    Expected signal: Cisco IOS syslog: `%SYS-5-CONFIG_I: Configured from console by <user> on <terminal>` after the config change. `show bootvar` output includes `Configuration register is 0x2142`. TACACS+ accounting logs the `config-register 0x2142` command. Syslog forwarded to SIEM contains the CONFIG_I message with the configuration terminal session details.

  4. Test 4ROMMON Environment Variable Inspection via ROMMON Prompt (Lab Only)

    Expected signal: Cisco IOS syslog before reload: `%SYS-5-RELOAD: Reload requested by <user> on vty0. Reload Reason: Reload command.` After reload: `%SYS-6-BOOTTIME: Time taken to reboot after reload = <seconds> seconds`. TACACS+ logs the `reload` command. Syslog gap during ROMMON phase (ROMMON does not forward syslog). After IOS boots: logging resumes with startup sequence messages.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1542.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.003BootkitT1542.005TFTP Boot

Related Techniques

T1542Pre-OS BootT1542.005TFTP BootT1542.001System FirmwareT1542.003BootkitT1133External Remote ServicesT1078.004Cloud AccountsT1040Network SniffingT1601Modify System ImageT1601.001Patch System ImageT1602Data from Configuration Repository

Same Tactic: Defense Evasion

Popular Detections