T1601 Modify System Image Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let NetworkDeviceImageKeywords = dynamic(["copy tftp", "copy ftp", "copy scp", "copy flash", "copy bootflash", "archive tar", "boot system flash", "boot system tftp", "verify /md5", "upgrade fpd", "install add file", "install activate", "request system software", "issu changeversion", "image upgrade"]);
let SyslogImageEvents = Syslog
| where Facility == "local7" or Facility == "local6" or SyslogMessage has_any ("FILESYS", "SYS-6-BOOTTIME", "SYS-5-RELOAD", "IMAGE", "INSTALL", "IOS_RESILIENCE")
| where SyslogMessage has_any ("copy", "upgrade", "install", "boot", "flash", "tftp", "verify", "archive")
| extend DeviceVendor = extract(@"^(\S+)", 1, Computer)
| project TimeGenerated, Computer, HostName, HostIP, SyslogMessage, ProcessName, Severity, Facility;
let CefImageEvents = CommonSecurityLog
| where DeviceVendor in~ ("Cisco", "Juniper", "Palo Alto Networks", "Fortinet", "F5", "Arista", "HPE", "Huawei")
| where Activity has_any ("image", "upgrade", "install", "copy", "boot", "firmware", "flash", "reload")
  or Message has_any (NetworkDeviceImageKeywords)
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceVersion, Activity, Message, SourceIP, DestinationIP, DestinationPort, SourceUserName, ExternalID;
let TftpTransfers = DeviceNetworkEvents
| where RemotePort == 69 or InitiatingProcessCommandLine has "tftp"
| where InitiatingProcessCommandLine has_any (".bin", ".img", ".tar", ".pkg", ".spa", ".vm", ".swx")
| extend SuspiciousImageTransfer = iff(InitiatingProcessCommandLine has_any ("tftp", "scp", "ftp") and InitiatingProcessCommandLine has_any (".bin", ".img", ".tar", ".pkg"), true, false)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, RemoteIP, RemotePort, SuspiciousImageTransfer, InitiatingProcessAccountName;
let ManagementHostActivity = DeviceProcessEvents
| where ProcessCommandLine has_any ("copy tftp:", "copy scp:", "copy ftp:", "send-image", "tftpd", "cisco-image", "ios-image", "nxos", "junos-upgrade")
  or FileName has_any ("tftp", "tftpd", "tftpboot")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ParentProcessName;
union kind=outer isfuzzy=true SyslogImageEvents, CefImageEvents, TftpTransfers, ManagementHostActivity
| extend AlertSeverity = case(
    isnotempty(SuspiciousImageTransfer) and SuspiciousImageTransfer == true, "High",
    SyslogMessage has_any ("SYS-5-RELOAD", "SYS-6-BOOTTIME", "IOS_RESILIENCE-3"), "High",
    Activity has_any ("firmware", "upgrade", "install") or Message has_any ("boot system", "install add"), "Medium",
    "Low"
)
| where AlertSeverity != "Low"
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Sentinel Syslog Microsoft Defender for Endpoint Common Event Format (CEF) Connector

Required Tables

Syslog CommonSecurityLog DeviceNetworkEvents DeviceProcessEvents

False Positives

Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets

Splunk

spl

index=network_devices OR index=syslog OR index=cisco_ios
(sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="cisco:nxos" OR sourcetype="juniper:junos" OR sourcetype="fortinet:fortigate" OR sourcetype="paloalto:firewall")
| eval raw_lower=lower(_raw)
| search raw_lower IN ("*copy tftp*", "*copy ftp*", "*copy scp*", "*boot system flash*", "*boot system tftp*", "*install add file*", "*install activate*", "*upgrade fpd*", "*request system software*", "*issu changeversion*", "*ios_resilience*", "*sys-5-reload*", "*sys-6-boottime*", "*verify /md5*", "*archive tar*", "*image download*", "*firmware upgrade*", "*.bin*", "*bootflash*")
| rex field=_raw "(?i)(copy|install|upgrade|boot\s+system|verify)\s+(?<ImageOperation>[^\s]+(?:\s+[^\s]+)?)" 
| rex field=_raw "(?i)(?<ImageFile>[\w\-\.]+\.(?:bin|img|tar|pkg|spa|vm|swx|vmdk))" 
| rex field=host "(?<DeviceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval DeviceIdentifier=coalesce(host, src_ip, DeviceIP, "unknown")
| eval OperationRisk=case(
    match(raw_lower, "sys-5-reload|sys-6-boottime|ios_resilience-3|verify.*md5"), "HIGH",
    match(raw_lower, "install activate|issu changeversion|request system software"), "HIGH",
    match(raw_lower, "copy tftp|copy scp|copy ftp") AND match(raw_lower, "\.bin|\.img|\.tar|\.pkg"), "HIGH",
    match(raw_lower, "boot system flash|boot system tftp"), "MEDIUM",
    match(raw_lower, "upgrade fpd|firmware upgrade|image download"), "MEDIUM",
    true(), "LOW"
)
| where OperationRisk IN ("HIGH", "MEDIUM")
| eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count AS EventCount, 
        values(ImageOperation) AS Operations, 
        values(ImageFile) AS ImageFiles, 
        values(OperationRisk) AS RiskLevels,
        earliest(_time) AS FirstSeen, 
        latest(_time) AS LastSeen 
        BY DeviceIdentifier, sourcetype
| eval DurationMinutes=round((LastSeen - FirstSeen) / 60, 2)
| eval RiskScore=case(
    mvcount(ImageFiles) > 1, 90,
    mvfind(RiskLevels, "HIGH") >= 0, 75,
    true(), 50
)
| where RiskScore >= 50
| sort - RiskScore
| table DeviceIdentifier, sourcetype, EventCount, Operations, ImageFiles, RiskLevels, RiskScore, DurationMinutes, FirstSeen, LastSeen

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Syslog Juniper JunOS Syslog Fortinet FortiGate Logs

Required Sourcetypes

syslog cisco:ios cisco:nxos juniper:junos fortinet:fortigate paloalto:firewall

False Positives

Scheduled maintenance window image upgrades performed by authorized network operations center (NOC) personnel
Automated network compliance tools (Cisco DNA Center, NetBrain, Ansible) enforcing approved image versions
Vendor-initiated upgrade procedures following published EOL/EOS advisories with change management approval
Disaster recovery restoration of known-good images following hardware replacement

Elastic Security (EQL)

eql

any where event.dataset in ("system.syslog", "cisco.ios") and message : ("copy tftp*" or "copy ftp*" or "copy scp*" or "boot system flash*" or "boot system tftp*" or "install add file*" or "install activate*" or "INTEGRITY_FAILED*" or "SIGNATURE_FAILED*" or "FLASH-5-SIGNIFICANT_FLASH*")

high severity medium confidence

Data Sources

Elastic Agent System integration Cisco IOS integration

Required Tables

logs-system.syslog-* logs-cisco.ios-*

False Positives

Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets

IBM QRadar (AQL)

sql

SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' THEN 100 WHEN UTF8(payload) ILIKE '%copy tftp%' AND (UTF8(payload) ILIKE '%flash:%' OR UTF8(payload) ILIKE '%bootflash:%') THEN 80 WHEN UTF8(payload) ILIKE '%boot system%' AND (UTF8(payload) ILIKE '%.bin%' OR UTF8(payload) ILIKE '%.pkg%') THEN 75 WHEN UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%install add file%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Juniper Networks Junos') AND (UTF8(payload) ILIKE '%copy tftp%' OR UTF8(payload) ILIKE '%copy scp%' OR UTF8(payload) ILIKE '%copy ftp%' OR UTF8(payload) ILIKE '%boot system flash%' OR UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' OR UTF8(payload) ILIKE '%FLASH-5-SIGNIFICANT_FLASH%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

events

False Positives

Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets

Sumo Logic CSE

sql

_sourceCategory=network/cisco/ios OR _sourceCategory=network/devices/syslog | where _raw matches "*copy tftp*" or _raw matches "*copy scp*" or _raw matches "*copy ftp*" or _raw matches "*boot system flash*" or _raw matches "*install activate*" or _raw matches "*INTEGRITY_FAILED*" or _raw matches "*SIGNATURE_FAILED*" or _raw matches "*FLASH-5-SIGNIFICANT_FLASH*" | if(matches(_raw, "*INTEGRITY_FAILED*") or matches(_raw, "*SIGNATURE_FAILED*"), "Critical", if(matches(_raw, "*copy tftp*") or matches(_raw, "*copy scp*"), "High", "Medium")) as RiskLevel | count by _sourceHost, RiskLevel | sort by _count desc

high severity medium confidence

Data Sources

Cisco IOS Syslog Network Device Syslog

Required Tables

network/cisco/ios network/devices/syslog

False Positives

Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets

Google Chronicle / SecOps

yaral

rule detect_system_image_modification {
  meta:
    author = "Argus"
    description = "Detects network device OS image modification attempts"
    severity = "CRITICAL"
    technique = "T1601"
  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    $e.metadata.product_name = "Cisco IOS"
    (
      re.regex($e.network.session_id, `copy (tftp|ftp|scp)|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Cisco IOS Syslog Juniper JunOS Syslog

Required Tables

NETWORK_UNCATEGORIZED

False Positives

Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets

CrowdStrike LogScale (CQL)

cql

#event_simpleName=SyslogMessage
| Message = /copy (tftp|ftp|scp).*flash:|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH/i
| case {
    Message = /INTEGRITY_FAILED|SIGNATURE_FAILED/i | RiskLevel := "Critical";
    Message = /copy (tftp|ftp|scp).*flash:/i | RiskLevel := "High";
    Message = /boot system|install activate/i | RiskLevel := "High";
    * | RiskLevel := "Medium"
  }
| table([@timestamp, ComputerName, Message, RiskLevel])

high severity medium confidence

Data Sources

Network Device Syslog (via Falcon LogScale)

Required Tables

SyslogMessage

False Positives

Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets

Modify System Image

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections