Detect TFTP Boot in Microsoft Sentinel
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1542 Pre-OS Boot
- Sub-technique
- T1542.005 TFTP Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1542/005/
KQL Detection Query
// T1542.005 — TFTP Boot detection across Cisco IOS syslog and network TFTP telemetry
// Requires Cisco IOS syslog forwarding to Microsoft Sentinel (Syslog table) and network flow/TFTP visibility
let TFTPBootWindow = 2h;
let SuspiciousTFTPSources = dynamic([]);
// Part 1: Detect boot system TFTP configuration changes in device syslog
let BootSystemChanges = Syslog
| where TimeGenerated > ago(7d)
| where Facility =~ "local0" or Facility =~ "local1" or Facility =~ "local2" or Facility =~ "local3" or Facility =~ "local6" or Facility =~ "local7"
| where SyslogMessage has_any ("boot system tftp", "BOOT system tftp", "boot system flash tftp", "config-register 0x2100", "config-register 0x2102", "config-register 0x2140", "config-register 0x2142")
| extend DeviceIP = HostIP
| extend ChangeType = case(
SyslogMessage has "boot system tftp", "TFTP_BOOT_COMMAND",
SyslogMessage has "config-register 0x2100", "TFTP_BOOT_REGISTER",
SyslogMessage has "config-register 0x2102", "TFTP_BOOT_REGISTER",
SyslogMessage has "config-register 0x2140", "TFTP_BOOT_REGISTER",
SyslogMessage has "config-register 0x2142", "ROMMON_BYPASS_REGISTER",
"UNKNOWN"
)
| project TimeGenerated, DeviceIP, Computer, Facility, SeverityLevel, SyslogMessage, ChangeType;
// Part 2: Detect TFTP transfer events to/from network devices in syslog
let TFTPTransferEvents = Syslog
| where TimeGenerated > ago(7d)
| where SyslogMessage has_any ("TFTP_SERVER", "tftp://", "Loading ", "tftpdnld", "TFTPD", "tftp-server", "TFTP: sent", "TFTP: received")
| where SyslogMessage has_any (".bin", ".tar", ".pkg", ".img", ".iso", "c3750", "c2960", "c7200", "asr", "isr", "catalyst")
| extend DeviceIP = HostIP
| extend TFTPServer = extract(@"tftp://([0-9\.]+)", 1, SyslogMessage)
| project TimeGenerated, DeviceIP, Computer, SyslogMessage, TFTPServer;
// Part 3: Detect reload/reload-in events close to TFTP activity
let ReloadEvents = Syslog
| where TimeGenerated > ago(7d)
| where SyslogMessage has_any ("SYS-5-RELOAD", "SYS-5-RESTART", "Reload requested", "reload in", "reload at", "SYS-6-RELOAD")
| extend DeviceIP = HostIP
| project ReloadTime = TimeGenerated, DeviceIP, ReloadMessage = SyslogMessage;
// Part 4: Correlate TFTP transfers with reload events within 2-hour window
let CorrelatedEvents = TFTPTransferEvents
| join kind=inner (
ReloadEvents
) on DeviceIP
| where abs(datetime_diff('minute', TimeGenerated, ReloadTime)) <= 120
| extend TimeDeltaMinutes = datetime_diff('minute', ReloadTime, TimeGenerated)
| project TimeGenerated, ReloadTime, DeviceIP, Computer, SyslogMessage, ReloadMessage, TFTPServer, TimeDeltaMinutes;
// Union all suspicious indicators
union kind=outer BootSystemChanges, CorrelatedEvents
| sort by TimeGenerated descDetects TFTP Boot (T1542.005) by monitoring Cisco IOS syslog messages forwarded to Microsoft Sentinel. The detection has four components: (1) boot system TFTP configuration commands added to device config, (2) configuration register values associated with TFTP netbooting (0x2100, 0x2102, 0x2140), (3) TFTP transfer events involving IOS image file extensions/naming conventions, and (4) correlation of TFTP transfers followed by device reload within a 2-hour window — the highest-fidelity composite indicator. Requires Cisco IOS syslog forwarding to Sentinel Syslog table using local0-local7 facility.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network operations teams performing scheduled IOS upgrades via TFTP from authorized network management servers (e.g., Cisco Prime, SolarWinds NCM)
- Password recovery procedures — IOS password recovery requires setting config-register to 0x2142 (ROMMON bypass) which overlaps with TFTP boot register values
- Lab or test environment provisioning where TFTP netbooting is intentionally used for device imaging
- Automated configuration management platforms (Cisco NSO, Ansible) that push boot system commands as part of standardized device hardening baselines
- Network device replacement/RMA procedures where a new device is imaged via TFTP before being deployed into production
Other platforms for T1542.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Current Boot System Configuration on Cisco IOS Device
Expected signal: TACACS+/RADIUS authentication log entry for the SSH login from the test source IP to the device management IP. Cisco IOS syslog SYS-5-CONFIG_I is NOT generated for show commands. AAA accounting records (if enabled) will show 'show version', 'show bootvar', 'show running-config' commands. In Sentinel: Syslog table entries for the authentication event from the device. In Splunk: cisco:ios sourcetype entries for the AAA events.
- Test 2Add TFTP Boot System Command to Cisco IOS Configuration
Expected signal: Cisco IOS syslog event SYS-5-CONFIG_I: 'Configured from console by <user> on <interface>' — generated when running config is modified. The syslog message includes 'boot system tftp' and 'config-register 0x2100' in the config change context. TACACS+ accounting records will show the 'boot system tftp' and 'config-register' commands if command accounting is enabled. In Sentinel: Syslog table entries matching 'boot system tftp' and 'config-register 0x2100'. In Splunk: cisco:ios sourcetype entries triggering the BOOT_CONFIG_CHANGE indicator.
- Test 3Simulate TFTP Image Transfer to Network Device Management IP
Expected signal: Network flow data: UDP/69 traffic from the test source IP to <TFTP_SERVER_IP> with byte count matching the file size. Firewall logs: connection entries for UDP/69. If the TFTP server forwards to syslog: TFTPD transfer completion messages including filename 'c3750e-universalk9-mz.152-4.E10.bin'. In Sentinel: CommonSecurityLog entries for the TFTP connection if firewall forwards to Sentinel. In Splunk: network sourcetype entries for the UDP/69 flows triggering the TFTP_IMAGE_TRANSFER indicator.
- Test 4Trigger Device Reload After TFTP Configuration (Highest-Fidelity Composite Test)
Expected signal: Cisco IOS syslog: SYS-5-CONFIG_I for the boot system/config-register changes, followed by SYS-5-RELOAD 'Reload requested by <user>' and SYS-5-RELOAD 'Reload scheduled in 5 minutes'. After reload: SYS-5-RESTART 'System restarted'. In Sentinel: Syslog table captures all events; the CorrelatedEvents subquery in the KQL detection fires because TFTPTransferEvents (boot system tftp) and ReloadEvents (SYS-5-RELOAD) appear within 120 minutes on the same device. In Splunk: has_tftp_and_reload=1 because both BOOT_CONFIG_CHANGE and RELOAD_EVENT indicator types appear for the same host within the transaction maxspan.
References (10)
- https://attack.mitre.org/techniques/T1542/005/
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#35
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-xe-3se-3850-cr-book_chapter_010.html
- https://www.cisco.com/c/en/us/products/security/ios-trustworthy-systems.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542.005/T1542.005.md
Unlock Pro Content
Get the full detection package for T1542.005 including response playbook, investigation guide, and atomic red team tests.