Detect ROMMONkit in Microsoft Sentinel
Adversaries may abuse the ROM Monitor (ROMMON) by loading unauthorized firmware with adversary code to provide persistent access and manipulate Cisco network device behavior in a way that is extremely difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely via TFTP with adversary code and restart the device to overwrite the existing ROMMON image. This provides persistence that survives IOS upgrades and standard remediation, and has been observed in the wild via the SYNful Knock implant campaign targeting Cisco ISR routers. Because ROMMON executes before the operating system loads, malicious code embedded at this layer can intercept and modify IOS behavior, inject backdoors, and evade integrity checks.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1542 Pre-OS Boot
- Sub-technique
- T1542.004 ROMMONkit
- Canonical reference
- https://attack.mitre.org/techniques/T1542/004/
KQL Detection Query
// T1542.004 — ROMMONkit: Detect ROMMON/boot firmware manipulation on Cisco network devices
// Requires Cisco device syslog forwarded to Microsoft Sentinel via Syslog or CommonSecurityLog
// Covers: TFTP image transfers to devices, ROMMON variable changes, boot system modifications, unexpected reloads
let RommonKeywords = dynamic([
"ROMMON", "rommon", "rom monitor",
"boot loader", "bootldr", "BOOT variable",
"confreg", "CONFREG", "config-register",
"0x2142", "0x0", "0x2100"
]);
let TFTPKeywords = dynamic([
"tftp", "TFTP",
"copy tftp", "archive download-sw",
"upgrade rom-monitor", "upgrade rommon"
]);
let ReloadKeywords = dynamic([
"SYS-5-RELOAD", "Reload requested",
"SYS-6-BOOTTIME", "restarted"
]);
let BootConfigKeywords = dynamic([
"boot system", "BOOT path-list",
"Configured from", "startup-config"
]);
// Primary: Syslog table (Cisco devices forwarding via rsyslog/syslog)
let SyslogDetections = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (RommonKeywords)
or SyslogMessage has_any (TFTPKeywords)
or (SyslogMessage has_any (ReloadKeywords) and SyslogMessage has_any (BootConfigKeywords))
| extend IsRommonChange = SyslogMessage has_any (RommonKeywords)
| extend IsTFTPTransfer = SyslogMessage has_any (TFTPKeywords)
| extend IsReload = SyslogMessage has_any (ReloadKeywords)
| extend IsBootVarChange = SyslogMessage has_any (BootConfigKeywords)
| extend DeviceIdentifier = coalesce(HostName, Computer)
| project TimeGenerated, DeviceIdentifier, SyslogMessage, SeverityLevel,
IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, LogSource="Syslog";
// Secondary: CommonSecurityLog (CEF-formatted Cisco logs via AMA or legacy agent)
let CSLDetections = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor =~ "Cisco"
| where Message has_any (RommonKeywords)
or Message has_any (TFTPKeywords)
or (Message has_any (ReloadKeywords) and Message has_any (BootConfigKeywords))
| extend IsRommonChange = Message has_any (RommonKeywords)
| extend IsTFTPTransfer = Message has_any (TFTPKeywords)
| extend IsReload = Message has_any (ReloadKeywords)
| extend IsBootVarChange = Message has_any (BootConfigKeywords)
| extend DeviceIdentifier = coalesce(DeviceName, Computer)
| project TimeGenerated, DeviceIdentifier, SyslogMessage=Message, SeverityLevel=tostring(LogSeverity),
IsRommonChange, IsTFTPTransfer, IsReload, IsBootVarChange, LogSource="CommonSecurityLog";
SyslogDetections
| union CSLDetections
| sort by TimeGenerated descDetects ROMMONkit activity on Cisco network devices by monitoring syslog and CEF-formatted logs forwarded to Microsoft Sentinel. Identifies ROMMON variable modifications, TFTP-based firmware transfers to devices, boot system configuration changes, and suspicious reload events. Requires Cisco syslog forwarding to a Log Analytics Workspace via Syslog daemon or AMA connector. Covers both direct syslog ingestion (Syslog table) and CEF-formatted device logs (CommonSecurityLog table). Because ROMMON manipulation requires physical or authenticated access followed by a TFTP transfer and reload, the combination of TFTP activity + reload event from the same device within a short window is the highest-fidelity indicator.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate ROMMON upgrades performed by network engineering teams during planned maintenance windows — correlate against change management tickets
- Authorized IOS image upgrades via TFTP during software lifecycle management cycles that log BOOT variable changes
- Network device password recovery procedures using confreg 0x2142 performed by authorized administrators
- Automated configuration management platforms (Cisco DNA Center, RANCID, Oxidized) that perform TFTP-based image pushes as part of normal operations
Other platforms for T1542.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Verify Current ROMMON Version and Boot Variables
Expected signal: Cisco IOS syslog: `%SYS-6-PRIVCMD` (if privilege accounting enabled) for each privileged exec command. TACACS+ accounting records for the enable session and each show command. AAA accounting logs showing the source IP and username. No TFTP or reload events generated.
- Test 2TFTP Image Transfer to Network Device (Lab Only)
Expected signal: Cisco IOS syslog: `%TFTP-6-TRANSFER: Received 1234 bytes` or `%COPY-5-UPROMPRMT: 1234 bytes copied in 2.345 secs`. CommonSecurityLog/Syslog in SIEM will show the TFTP transfer message with source IP 192.168.100.99. TACACS+ accounting logs the `copy tftp` command with source IP. NetFlow captures UDP/69 session from 192.168.100.99 to device management IP.
- Test 3Configuration Register Modification (Lab Only)
Expected signal: Cisco IOS syslog: `%SYS-5-CONFIG_I: Configured from console by <user> on <terminal>` after the config change. `show bootvar` output includes `Configuration register is 0x2142`. TACACS+ accounting logs the `config-register 0x2142` command. Syslog forwarded to SIEM contains the CONFIG_I message with the configuration terminal session details.
- Test 4ROMMON Environment Variable Inspection via ROMMON Prompt (Lab Only)
Expected signal: Cisco IOS syslog before reload: `%SYS-5-RELOAD: Reload requested by <user> on vty0. Reload Reason: Reload command.` After reload: `%SYS-6-BOOTTIME: Time taken to reboot after reload = <seconds> seconds`. TACACS+ logs the `reload` command. Syslog gap during ROMMON phase (ROMMON does not forward syslog). After IOS boots: logging resumes with startup sequence messages.
References (7)
- https://attack.mitre.org/techniques/T1542/004/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://www.mandiant.com/resources/blog/synful-knock-detecting-cisco-ios-rootkits-with-host-based-forensics
- https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/7181-rommon-integrity.html
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-r1.html
- https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance
Unlock Pro Content
Get the full detection package for T1542.004 including response playbook, investigation guide, and atomic red team tests.