T1542.005

TFTP Boot

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality.

Microsoft Sentinel / Defender

kusto

// T1542.005 — TFTP Boot detection across Cisco IOS syslog and network TFTP telemetry
// Requires Cisco IOS syslog forwarding to Microsoft Sentinel (Syslog table) and network flow/TFTP visibility
let TFTPBootWindow = 2h;
let SuspiciousTFTPSources = dynamic([]);
// Part 1: Detect boot system TFTP configuration changes in device syslog
let BootSystemChanges = Syslog
| where TimeGenerated > ago(7d)
| where Facility =~ "local0" or Facility =~ "local1" or Facility =~ "local2" or Facility =~ "local3" or Facility =~ "local6" or Facility =~ "local7"
| where SyslogMessage has_any ("boot system tftp", "BOOT system tftp", "boot system flash tftp", "config-register 0x2100", "config-register 0x2102", "config-register 0x2140", "config-register 0x2142")
| extend DeviceIP = HostIP
| extend ChangeType = case(
    SyslogMessage has "boot system tftp", "TFTP_BOOT_COMMAND",
    SyslogMessage has "config-register 0x2100", "TFTP_BOOT_REGISTER",
    SyslogMessage has "config-register 0x2102", "TFTP_BOOT_REGISTER",
    SyslogMessage has "config-register 0x2140", "TFTP_BOOT_REGISTER",
    SyslogMessage has "config-register 0x2142", "ROMMON_BYPASS_REGISTER",
    "UNKNOWN"
  )
| project TimeGenerated, DeviceIP, Computer, Facility, SeverityLevel, SyslogMessage, ChangeType;
// Part 2: Detect TFTP transfer events to/from network devices in syslog
let TFTPTransferEvents = Syslog
| where TimeGenerated > ago(7d)
| where SyslogMessage has_any ("TFTP_SERVER", "tftp://", "Loading ", "tftpdnld", "TFTPD", "tftp-server", "TFTP: sent", "TFTP: received")
| where SyslogMessage has_any (".bin", ".tar", ".pkg", ".img", ".iso", "c3750", "c2960", "c7200", "asr", "isr", "catalyst")
| extend DeviceIP = HostIP
| extend TFTPServer = extract(@"tftp://([0-9\.]+)", 1, SyslogMessage)
| project TimeGenerated, DeviceIP, Computer, SyslogMessage, TFTPServer;
// Part 3: Detect reload/reload-in events close to TFTP activity
let ReloadEvents = Syslog
| where TimeGenerated > ago(7d)
| where SyslogMessage has_any ("SYS-5-RELOAD", "SYS-5-RESTART", "Reload requested", "reload in", "reload at", "SYS-6-RELOAD")
| extend DeviceIP = HostIP
| project ReloadTime = TimeGenerated, DeviceIP, ReloadMessage = SyslogMessage;
// Part 4: Correlate TFTP transfers with reload events within 2-hour window
let CorrelatedEvents = TFTPTransferEvents
| join kind=inner (
    ReloadEvents
  ) on DeviceIP
| where abs(datetime_diff('minute', TimeGenerated, ReloadTime)) <= 120
| extend TimeDeltaMinutes = datetime_diff('minute', ReloadTime, TimeGenerated)
| project TimeGenerated, ReloadTime, DeviceIP, Computer, SyslogMessage, ReloadMessage, TFTPServer, TimeDeltaMinutes;
// Union all suspicious indicators
union kind=outer BootSystemChanges, CorrelatedEvents
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Cisco IOS Syslog

Required Tables

Syslog CommonSecurityLog

False Positives

Legitimate network operations teams performing scheduled IOS upgrades via TFTP from authorized network management servers (e.g., Cisco Prime, SolarWinds NCM)
Password recovery procedures — IOS password recovery requires setting config-register to 0x2142 (ROMMON bypass) which overlaps with TFTP boot register values
Lab or test environment provisioning where TFTP netbooting is intentionally used for device imaging
Automated configuration management platforms (Cisco NSO, Ansible) that push boot system commands as part of standardized device hardening baselines
Network device replacement/RMA procedures where a new device is imaged via TFTP before being deployed into production

Splunk

spl

| union
    [search index=network sourcetype="cisco:ios" earliest=-7d
     ("boot system tftp" OR "config-register 0x2100" OR "config-register 0x2102" OR "config-register 0x2140" OR "config-register 0x2142" OR "tftpdnld")
     | eval indicator_type="BOOT_CONFIG_CHANGE"
     | eval tftp_server=coalesce(mvindex(split(message, "tftp://"), 1), "")
     | eval tftp_server=mvindex(split(tftp_server, " "), 0)
     | eval config_register=case(
         match(message, "config-register 0x2100"), "0x2100_TFTP_BOOT",
         match(message, "config-register 0x2102"), "0x2102_TFTP_BOOT",
         match(message, "config-register 0x2140"), "0x2140_TFTP_BOOT",
         match(message, "config-register 0x2142"), "0x2142_ROMMON_BYPASS",
         true(), "N/A"
       )
     | eval suspicion_score=if(match(message, "boot system tftp"), 3,
         if(match(message, "tftpdnld"), 3,
         if(match(config_register, "0x2142"), 2, 1)))
     | table _time, host, src_ip, message, indicator_type, tftp_server, config_register, suspicion_score]
    [search index=network sourcetype="cisco:ios" earliest=-7d
     ("SYS-5-RELOAD" OR "SYS-5-RESTART" OR "SYS-6-RELOAD" OR "Reload requested" OR "reload in " OR "reload at ")
     | eval indicator_type="RELOAD_EVENT"
     | eval suspicion_score=1
     | table _time, host, src_ip, message, indicator_type, suspicion_score]
    [search index=network (sourcetype="cisco:ios" OR sourcetype=syslog) earliest=-7d
     ("TFTP" OR "tftp://") (".bin" OR ".tar" OR ".pkg" OR ".img" OR "c3750" OR "c2960" OR "c7200" OR "asr" OR "isr" OR "catalyst" OR "nexus")
     | eval indicator_type="TFTP_IMAGE_TRANSFER"
     | eval tftp_server=coalesce(mvindex(split(message, "tftp://"), 1), "")
     | eval tftp_server=mvindex(split(tftp_server, " "), 0)
     | eval suspicion_score=2
     | table _time, host, src_ip, message, indicator_type, tftp_server, suspicion_score]
| stats
    sum(suspicion_score) as total_score,
    values(indicator_type) as indicators,
    values(tftp_server) as tftp_servers,
    values(config_register) as config_registers,
    count as event_count,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
    by host
| where total_score >= 2
| eval risk_level=case(
    total_score >= 5, "CRITICAL",
    total_score >= 3, "HIGH",
    total_score >= 2, "MEDIUM",
    true(), "LOW"
  )
| eval has_tftp_and_reload=if(mvcount(mvfilter(match(indicators, "TFTP_IMAGE_TRANSFER"))) > 0 AND mvcount(mvfilter(match(indicators, "RELOAD_EVENT"))) > 0, 1, 0)
| sort - total_score
| table host, risk_level, total_score, indicators, tftp_servers, config_registers, event_count, first_seen, last_seen, has_tftp_and_reload

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Traffic: Network Traffic Content Cisco IOS Syslog Sysmon Event ID 3 (if TFTP server is Windows-hosted)

Required Sourcetypes

cisco:ios syslog

False Positives

Legitimate network operations teams performing scheduled IOS upgrades via TFTP from authorized network management servers
Password recovery procedures requiring config-register 0x2142 — always validate against change management tickets
Lab or test environment provisioning where TFTP netbooting is intentionally used for device imaging
Automated configuration management platforms pushing boot system commands as part of device hardening baselines
Network device replacement/RMA procedures where a new device is imaged via TFTP before production deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  logsourceid,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CATEGORYNAME(category) AS event_category,
  "devicehostname",
  "message",
  CASE
    WHEN "message" ILIKE '%boot system tftp%' THEN 'TFTP_BOOT_COMMAND'
    WHEN "message" ILIKE '%config-register 0x2100%' THEN 'TFTP_BOOT_REGISTER'
    WHEN "message" ILIKE '%config-register 0x2102%' THEN 'TFTP_BOOT_REGISTER'
    WHEN "message" ILIKE '%config-register 0x2140%' THEN 'TFTP_BOOT_REGISTER'
    WHEN "message" ILIKE '%config-register 0x2142%' THEN 'ROMMON_BYPASS_REGISTER'
    WHEN "message" ILIKE '%tftpdnld%' THEN 'ROMMON_TFTP_DOWNLOAD'
    WHEN "message" ILIKE '%SYS-5-RELOAD%' OR "message" ILIKE '%SYS-5-RESTART%' THEN 'DEVICE_RELOAD'
    WHEN "message" ILIKE '%tftp://%' THEN 'TFTP_IMAGE_TRANSFER'
    ELSE 'UNKNOWN'
  END AS indicator_type,
  CASE
    WHEN "message" ILIKE '%boot system tftp%' THEN 3
    WHEN "message" ILIKE '%tftpdnld%' THEN 3
    WHEN "message" ILIKE '%config-register 0x2142%' THEN 2
    WHEN "message" ILIKE '%config-register 0x21%' THEN 2
    WHEN "message" ILIKE '%tftp://%' THEN 2
    ELSE 1
  END AS suspicion_score
FROM events
WHERE
  starttime > NOW() - 7 DAYS
  AND LOGSOURCETYPENAME(logsourceid) ILIKE '%Cisco%'
  AND (
    "message" ILIKE '%boot system tftp%'
    OR "message" ILIKE '%config-register 0x2100%'
    OR "message" ILIKE '%config-register 0x2102%'
    OR "message" ILIKE '%config-register 0x2140%'
    OR "message" ILIKE '%config-register 0x2142%'
    OR "message" ILIKE '%tftpdnld%'
    OR "message" ILIKE '%SYS-5-RELOAD%'
    OR "message" ILIKE '%SYS-5-RESTART%'
    OR "message" ILIKE '%SYS-6-RELOAD%'
    OR (
      ("message" ILIKE '%tftp://%' OR "message" ILIKE '%TFTP%')
      AND (
        "message" ILIKE '%.bin%' OR "message" ILIKE '%.tar%'
        OR "message" ILIKE '%.pkg%' OR "message" ILIKE '%.img%'
        OR "message" ILIKE '%c3750%' OR "message" ILIKE '%c2960%'
        OR "message" ILIKE '%c7200%' OR "message" ILIKE '%catalyst%'
        OR "message" ILIKE '%nexus%'
      )
    )
  )
ORDER BY suspicion_score DESC, starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Cisco IOS syslog log sources in QRadar Network device syslog collectors

Required Tables

events

False Positives

Authorized network OS upgrade projects where engineers configure TFTP boot and reload devices during scheduled maintenance windows
Network lab environments or staging zones where TFTP boot is routinely used for device provisioning and testing
Cisco NSO, DNA Center, or similar automation platforms performing automated image upgrades via TFTP as part of lifecycle management

Sumo Logic CSE

sql

// Part 1: TFTP boot configuration changes and ROMMON manipulation
(_sourceCategory=network/cisco/ios OR _sourceCategory=network/syslog)
| where (%"cisco.ios" or sourceName matches /cisco/i or _collector matches /network/i)
| where message matches /boot system tftp|config-register 0x2100|config-register 0x2102|config-register 0x2140|config-register 0x2142|tftpdnld/i
| parse field=message "tftp://" nodrop
| parse regex field=message "tftp://(?P<tftp_server>[\d\.]+)" nodrop
| eval indicator_type = if(message matches /boot system tftp/i, "TFTP_BOOT_COMMAND",
    if(message matches /config-register 0x2142/i, "ROMMON_BYPASS_REGISTER",
    if(message matches /config-register 0x21/i, "TFTP_BOOT_REGISTER",
    if(message matches /tftpdnld/i, "ROMMON_TFTP_DOWNLOAD", "BOOT_CONFIG"))))
| eval suspicion_score = if(message matches /boot system tftp/i, 3,
    if(message matches /tftpdnld/i, 3,
    if(message matches /config-register 0x2142/i, 2, 1)))
| fields _messageTime, _sourceHost, indicator_type, tftp_server, suspicion_score, message

// Part 2 (run separately): TFTP image transfer events
(_sourceCategory=network/cisco/ios OR _sourceCategory=network/syslog)
| where (message matches /tftp:\/\//i or message matches /TFTP/)
| where (message matches /\.bin|\.tar|\.pkg|\.img|c3750|c2960|c7200|asr|isr|catalyst|nexus/i)
| parse regex field=message "tftp://(?P<tftp_server>[\d\.]+)" nodrop
| eval indicator_type = "TFTP_IMAGE_TRANSFER"
| eval suspicion_score = 2
| fields _messageTime, _sourceHost, indicator_type, tftp_server, suspicion_score, message

// Part 3 (run separately): Reload events — join with above in Sumo CIP or Scheduled Search
(_sourceCategory=network/cisco/ios OR _sourceCategory=network/syslog)
| where message matches /SYS-5-RELOAD|SYS-5-RESTART|SYS-6-RELOAD|Reload requested|reload in |reload at /i
| eval indicator_type = "RELOAD_EVENT"
| eval suspicion_score = 1
| fields _messageTime, _sourceHost, indicator_type, suspicion_score, message

high severity medium confidence

Data Sources

Cisco IOS syslog forwarded to Sumo Logic via syslog collector Network device log sources configured under network/cisco/ios source category

Required Tables

_sourceCategory=network/cisco/ios _sourceCategory=network/syslog

False Positives

Planned network device OS upgrades using TFTP as the transfer mechanism — common in enterprises still relying on TFTP for image distribution
Network device bootstrap provisioning using TFTP (Zero Touch Provisioning or PnP) for new hardware deployment
Security assessment or penetration testing activities specifically targeting network infrastructure with authorization

Google Chronicle / SecOps

yaral

rule tftp_boot_abuse_t1542_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects TFTP Boot abuse (T1542.005) — adversaries manipulating network device boot configuration to load malicious OS images via TFTP, potentially combined with device reload to activate the implanted image."
    mitre_attack_tactic = "Defense Evasion, Persistence"
    mitre_attack_technique = "T1542.005"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1542/005/"
    created = "2026-04-20"

  events:
    // Boot system TFTP configuration change event
    $boot_config.metadata.product_name = /[Cc]isco/ nocase
    $boot_config.metadata.event_type = "GENERIC_EVENT"
    (
      $boot_config.metadata.description = /boot system tftp/i or
      $boot_config.metadata.description = /config-register 0x2100/i or
      $boot_config.metadata.description = /config-register 0x2102/i or
      $boot_config.metadata.description = /config-register 0x2140/i or
      $boot_config.metadata.description = /config-register 0x2142/i or
      $boot_config.metadata.description = /tftpdnld/i
    )
    $boot_config.principal.hostname = $device

    // Reload event from same device within 2 hours
    $reload.metadata.product_name = /[Cc]isco/ nocase
    $reload.metadata.event_type = "GENERIC_EVENT"
    (
      $reload.metadata.description = /SYS-5-RELOAD/i or
      $reload.metadata.description = /SYS-5-RESTART/i or
      $reload.metadata.description = /SYS-6-RELOAD/i or
      $reload.metadata.description = /Reload requested/i or
      $reload.metadata.description = /reload in /i
    )
    $reload.principal.hostname = $device

  match:
    $device over 2h

  condition:
    $boot_config and $reload
}

rule tftp_image_transfer_t1542_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects TFTP image transfer events referencing Cisco platform firmware file patterns — a precursor or component of TFTP Boot abuse (T1542.005)."
    mitre_attack_tactic = "Defense Evasion, Persistence"
    mitre_attack_technique = "T1542.005"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1542/005/"
    created = "2026-04-20"

  events:
    $tftp_transfer.metadata.product_name = /[Cc]isco/ nocase
    $tftp_transfer.metadata.event_type = "GENERIC_EVENT"
    (
      $tftp_transfer.metadata.description = /tftp:\/\//i or
      $tftp_transfer.metadata.description = /TFTP_SERVER/i or
      $tftp_transfer.metadata.description = /tftpdnld/i
    )
    (
      $tftp_transfer.metadata.description = /\.bin/i or
      $tftp_transfer.metadata.description = /\.tar/i or
      $tftp_transfer.metadata.description = /\.pkg/i or
      $tftp_transfer.metadata.description = /\.img/i or
      $tftp_transfer.metadata.description = /c3750|c2960|c7200|asr|isr|catalyst|nexus/i
    )
    $tftp_transfer.principal.hostname = $device

  match:
    $device over 7d

  condition:
    $tftp_transfer
}

high severity medium confidence

Data Sources

Cisco IOS syslog ingested into Chronicle via forwarder Network device log sources parsed into Chronicle UDM GENERIC_EVENT type

Required Tables

GENERIC_EVENT UDM records from Cisco log sources

False Positives

Authorized firmware upgrade cycles where network engineers configure TFTP boot and immediately reload devices as part of the upgrade procedure
Network device automated provisioning platforms that use TFTP as the image delivery mechanism and trigger reloads as part of the provisioning workflow
TFTP-based disaster recovery tests that simulate ROMMON recovery procedures using TFTP image loading in lab or failover environments

CrowdStrike LogScale (CQL)

cql

// T1542.005 — TFTP Boot: CrowdStrike LogScale detection via Falcon network device telemetry
// NOTE: Falcon does not natively instrument Cisco IOS devices. This query targets:
// (1) Falcon-protected Linux/Windows TFTP servers being accessed by network devices
// (2) Custom syslog ingest pipelines forwarding Cisco IOS logs into LogScale

// Branch 1: Detect TFTP server process activity on Falcon-protected hosts
// (unusual TFTP server startup or unexpected TFTP daemon launch)
(
  #event_simpleName = "ProcessRollup2"
  AND (
    ImageFileName = /tftpd|atftpd|tftp-hpa|tftp-server|tftpboot/i
    OR CommandLine = /tftpd|atftpd|tftp-server|--tftp/i
  )
)
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
| rename(field="@timestamp", as="event_time")
| eval indicator_type = "TFTP_SERVER_PROCESS"
| eval suspicion_score = 2

// Branch 2: Detect outbound TFTP (UDP/69) connections from Falcon hosts to network device IPs
// Indicates a host acting as TFTP server for network device firmware delivery
#event_simpleName = "NetworkConnectIP4"
LocalPort = 69 OR RemotePort = 69
| groupBy(
    [ComputerName, LocalIP, RemoteIP],
    function=[
      count(as=connection_count),
      selectLast([LocalPort, RemotePort, @timestamp])
    ]
  )
| eval protocol = "UDP/69_TFTP"
| eval indicator_type = "TFTP_NETWORK_CONNECTION"
| eval suspicion_score = if(connection_count > 10, 3, 2)
| table([ComputerName, LocalIP, RemoteIP, protocol, connection_count, indicator_type, suspicion_score])

// Branch 3: Detect syslog ingest (requires custom Cisco IOS syslog pipeline into LogScale)
// If Cisco IOS syslogs are forwarded into LogScale under a custom repository
#repo = "network-devices"
(
  message = /boot system tftp|config-register 0x2100|config-register 0x2102|config-register 0x2140|config-register 0x2142|tftpdnld/i
  OR (
    message = /tftp:\/\//i
    AND message = /\.bin|\.tar|\.pkg|\.img|c3750|c2960|c7200|catalyst|nexus/i
  )
  OR message = /SYS-5-RELOAD|SYS-5-RESTART|SYS-6-RELOAD|Reload requested/i
)
| eval indicator_type = case(
    message = /boot system tftp/i, "TFTP_BOOT_COMMAND",
    message = /config-register 0x2142/i, "ROMMON_BYPASS_REGISTER",
    message = /config-register 0x21/i, "TFTP_BOOT_REGISTER",
    message = /tftpdnld/i, "ROMMON_TFTP_DOWNLOAD",
    message = /SYS-5-RELOAD|SYS-5-RESTART|SYS-6-RELOAD|Reload requested/i, "DEVICE_RELOAD",
    message = /tftp:\/\//i, "TFTP_IMAGE_TRANSFER",
    *
  )
| eval suspicion_score = case(
    message = /boot system tftp|tftpdnld/i, 3,
    message = /config-register 0x2142/i, 2,
    message = /tftp:\/\//i, 2,
    *,
    1
  )
| groupBy(
    [host, indicator_type],
    function=[
      sum(suspicion_score, as=total_score),
      count(as=event_count),
      selectLast([message])
    ]
  )
| where total_score >= 2
| sort(total_score, order=desc)

high severity low confidence

Data Sources

CrowdStrike Falcon EDR telemetry (ProcessRollup2, NetworkConnectIP4) Cisco IOS syslog forwarded to LogScale custom repository (optional)

Required Tables

ProcessRollup2 NetworkConnectIP4 network-devices repository (custom syslog pipeline)

False Positives

Legitimate TFTP servers on Linux/Windows hosts used by network operations teams for authorized OS image distribution to network devices
Network management servers running tftpd or atftpd as part of approved Cisco DNA Center, network provisioning, or backup tooling
Security lab or staging environments where TFTP boot is routinely used for network device testing and image validation prior to production deployment

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1542.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.001System Firmware T1542.002Component Firmware T1542.003Bootkit T1542.004ROMMONkit

TFTP Boot

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections