T1542.005 CrowdStrike LogScale · LogScale

Detect TFTP Boot in CrowdStrike LogScale

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1542 Pre-OS Boot
Sub-technique
T1542.005 TFTP Boot
Canonical reference
https://attack.mitre.org/techniques/T1542/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1542.005 — TFTP Boot: CrowdStrike LogScale detection via Falcon network device telemetry
// NOTE: Falcon does not natively instrument Cisco IOS devices. This query targets:
// (1) Falcon-protected Linux/Windows TFTP servers being accessed by network devices
// (2) Custom syslog ingest pipelines forwarding Cisco IOS logs into LogScale

// Branch 1: Detect TFTP server process activity on Falcon-protected hosts
// (unusual TFTP server startup or unexpected TFTP daemon launch)
(
  #event_simpleName = "ProcessRollup2"
  AND (
    ImageFileName = /tftpd|atftpd|tftp-hpa|tftp-server|tftpboot/i
    OR CommandLine = /tftpd|atftpd|tftp-server|--tftp/i
  )
)
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
| rename(field="@timestamp", as="event_time")
| eval indicator_type = "TFTP_SERVER_PROCESS"
| eval suspicion_score = 2

// Branch 2: Detect outbound TFTP (UDP/69) connections from Falcon hosts to network device IPs
// Indicates a host acting as TFTP server for network device firmware delivery
#event_simpleName = "NetworkConnectIP4"
LocalPort = 69 OR RemotePort = 69
| groupBy(
    [ComputerName, LocalIP, RemoteIP],
    function=[
      count(as=connection_count),
      selectLast([LocalPort, RemotePort, @timestamp])
    ]
  )
| eval protocol = "UDP/69_TFTP"
| eval indicator_type = "TFTP_NETWORK_CONNECTION"
| eval suspicion_score = if(connection_count > 10, 3, 2)
| table([ComputerName, LocalIP, RemoteIP, protocol, connection_count, indicator_type, suspicion_score])

// Branch 3: Detect syslog ingest (requires custom Cisco IOS syslog pipeline into LogScale)
// If Cisco IOS syslogs are forwarded into LogScale under a custom repository
#repo = "network-devices"
(
  message = /boot system tftp|config-register 0x2100|config-register 0x2102|config-register 0x2140|config-register 0x2142|tftpdnld/i
  OR (
    message = /tftp:\/\//i
    AND message = /\.bin|\.tar|\.pkg|\.img|c3750|c2960|c7200|catalyst|nexus/i
  )
  OR message = /SYS-5-RELOAD|SYS-5-RESTART|SYS-6-RELOAD|Reload requested/i
)
| eval indicator_type = case(
    message = /boot system tftp/i, "TFTP_BOOT_COMMAND",
    message = /config-register 0x2142/i, "ROMMON_BYPASS_REGISTER",
    message = /config-register 0x21/i, "TFTP_BOOT_REGISTER",
    message = /tftpdnld/i, "ROMMON_TFTP_DOWNLOAD",
    message = /SYS-5-RELOAD|SYS-5-RESTART|SYS-6-RELOAD|Reload requested/i, "DEVICE_RELOAD",
    message = /tftp:\/\//i, "TFTP_IMAGE_TRANSFER",
    *
  )
| eval suspicion_score = case(
    message = /boot system tftp|tftpdnld/i, 3,
    message = /config-register 0x2142/i, 2,
    message = /tftp:\/\//i, 2,
    *,
    1
  )
| groupBy(
    [host, indicator_type],
    function=[
      sum(suspicion_score, as=total_score),
      count(as=event_count),
      selectLast([message])
    ]
  )
| where total_score >= 2
| sort(total_score, order=desc)
high severity low confidence

Detects TFTP Boot abuse (T1542.005) in CrowdStrike LogScale across three branches: (1) TFTP daemon process launches on Falcon-protected endpoints that may be serving as TFTP servers for network devices, (2) UDP/69 TFTP network connections from Falcon-protected hosts indicating active firmware serving, and (3) Cisco IOS syslog indicators ingested into a custom LogScale repository covering boot system TFTP commands, ROMMON register manipulation, TFTP image transfers, and device reload events.

Data Sources

CrowdStrike Falcon EDR telemetry (ProcessRollup2, NetworkConnectIP4)Cisco IOS syslog forwarded to LogScale custom repository (optional)

Required Tables

ProcessRollup2NetworkConnectIP4network-devices repository (custom syslog pipeline)

False Positives & Tuning

  • Legitimate TFTP servers on Linux/Windows hosts used by network operations teams for authorized OS image distribution to network devices
  • Network management servers running tftpd or atftpd as part of approved Cisco DNA Center, network provisioning, or backup tooling
  • Security lab or staging environments where TFTP boot is routinely used for network device testing and image validation prior to production deployment
Download portable Sigma rule (.yml)

Other platforms for T1542.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Current Boot System Configuration on Cisco IOS Device

    Expected signal: TACACS+/RADIUS authentication log entry for the SSH login from the test source IP to the device management IP. Cisco IOS syslog SYS-5-CONFIG_I is NOT generated for show commands. AAA accounting records (if enabled) will show 'show version', 'show bootvar', 'show running-config' commands. In Sentinel: Syslog table entries for the authentication event from the device. In Splunk: cisco:ios sourcetype entries for the AAA events.

  2. Test 2Add TFTP Boot System Command to Cisco IOS Configuration

    Expected signal: Cisco IOS syslog event SYS-5-CONFIG_I: 'Configured from console by <user> on <interface>' — generated when running config is modified. The syslog message includes 'boot system tftp' and 'config-register 0x2100' in the config change context. TACACS+ accounting records will show the 'boot system tftp' and 'config-register' commands if command accounting is enabled. In Sentinel: Syslog table entries matching 'boot system tftp' and 'config-register 0x2100'. In Splunk: cisco:ios sourcetype entries triggering the BOOT_CONFIG_CHANGE indicator.

  3. Test 3Simulate TFTP Image Transfer to Network Device Management IP

    Expected signal: Network flow data: UDP/69 traffic from the test source IP to <TFTP_SERVER_IP> with byte count matching the file size. Firewall logs: connection entries for UDP/69. If the TFTP server forwards to syslog: TFTPD transfer completion messages including filename 'c3750e-universalk9-mz.152-4.E10.bin'. In Sentinel: CommonSecurityLog entries for the TFTP connection if firewall forwards to Sentinel. In Splunk: network sourcetype entries for the UDP/69 flows triggering the TFTP_IMAGE_TRANSFER indicator.

  4. Test 4Trigger Device Reload After TFTP Configuration (Highest-Fidelity Composite Test)

    Expected signal: Cisco IOS syslog: SYS-5-CONFIG_I for the boot system/config-register changes, followed by SYS-5-RELOAD 'Reload requested by <user>' and SYS-5-RELOAD 'Reload scheduled in 5 minutes'. After reload: SYS-5-RESTART 'System restarted'. In Sentinel: Syslog table captures all events; the CorrelatedEvents subquery in the KQL detection fires because TFTPTransferEvents (boot system tftp) and ReloadEvents (SYS-5-RELOAD) appear within 120 minutes on the same device. In Splunk: has_tftp_and_reload=1 because both BOOT_CONFIG_CHANGE and RELOAD_EVENT indicator types appear for the same host within the transaction maxspan.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1542.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.003BootkitT1542.004ROMMONkit

Related Techniques

T1542Pre-OS BootT1542.004ROMMONkitT1601Modify System ImageT1601.001Patch System ImageT1601.002Downgrade System ImageT1078.004Cloud AccountsT1110Brute ForceT1040Network SniffingT1200Hardware Additions

Same Tactic: Defense Evasion

Popular Detections