T1601.001 Patch System Image Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ImageTransferCommands = dynamic([
  "copy tftp", "copy ftp", "copy scp", "copy http", "copy https", "copy rcp",
  "archive download-sw", "archive copy-sw", "install add file", "install activate",
  "request system software add", "request system software validate"
]);
let BootManipulationPatterns = dynamic([
  "boot system flash", "boot system tftp", "boot system ftp", "boot system http",
  "no boot system", "ROMMON_CONFIG", "SETVAR", "confreg 0x", "rommon"
]);
let IntegrityAlerts = dynamic([
  "INTEGRITY_FAILED", "SIGNATURE_FAILED", "hash mismatch", "image verification failed",
  "FLASH-4-WRITE_FAILED", "FLASH-5-SIGNIFICANT_FLASH_ERASE", "tamper detected",
  "SOFTWARE INTEGRITY", "IOS_RESILIENCE"
]);
let ImageFileExtensions = dynamic([".bin", ".img", ".ova", ".tar", ".pkg", ".tgz", ".qcow2"]);
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (ImageTransferCommands)
      or SyslogMessage has_any (BootManipulationPatterns)
      or SyslogMessage has_any (IntegrityAlerts)
      or (SyslogMessage has_any (ImageFileExtensions) and (SyslogMessage has "flash:" or SyslogMessage has "disk0:" or SyslogMessage has "bootflash:"))
| extend IsImageTransfer = SyslogMessage has_any (ImageTransferCommands)
| extend IsBootManipulation = SyslogMessage has_any (BootManipulationPatterns)
| extend IsIntegrityAlert = SyslogMessage has_any (IntegrityAlerts)
| extend IsFlashWrite = SyslogMessage has_any (ImageFileExtensions) and (SyslogMessage has "flash:" or SyslogMessage has "disk0:" or SyslogMessage has "bootflash:")
| extend ExtractedUser = extract(@"[Uu]ser[:\s]+([\w\\@\.\-]+)", 1, SyslogMessage)
| extend ExtractedCommand = extract(@"logged command[:\s]+(.+?)$", 1, SyslogMessage)
| extend SourceTransferIP = extract(@"(?:tftp|ftp|scp|http)://([\d\.]+|[\w\-\.]+)/", 1, SyslogMessage)
| extend SyslogFacility = extract(@"%([A-Z_\-]+)-\d-", 1, SyslogMessage)
| project TimeGenerated, Computer, HostName, Facility, SeverityLevel,
          SyslogMessage, ExtractedUser, ExtractedCommand, SourceTransferIP,
          SyslogFacility, IsImageTransfer, IsBootManipulation, IsIntegrityAlert, IsFlashWrite
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Device: Network Device Command Application Log: Application Log Content Syslog from network devices (Cisco IOS, Juniper JunOS, Palo Alto PAN-OS)

Required Tables

Syslog CommonSecurityLog

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
Network device lab or staging environments with frequent image cycling for testing

Splunk

spl

index=network (sourcetype="cisco:ios" OR sourcetype="cisco_syslog" OR sourcetype="syslog" OR sourcetype="juniper:junos:syslog" OR sourcetype="pan:log")
(
  ("copy tftp" OR "copy ftp" OR "copy scp" OR "copy http" OR "archive download-sw" OR "archive copy-sw" OR "install add file" OR "install activate")
  OR ("boot system flash" OR "boot system tftp" OR "boot system ftp" OR "no boot system" OR "ROMMON_CONFIG" OR "confreg 0x")
  OR ("INTEGRITY_FAILED" OR "SIGNATURE_FAILED" OR "hash mismatch" OR "image verification failed" OR "FLASH-4-WRITE_FAILED" OR "FLASH-5-SIGNIFICANT_FLASH_ERASE")
  OR (("flash:" OR "disk0:" OR "bootflash:") AND (".bin" OR ".img" OR ".tar" OR ".pkg" OR ".tgz"))
)
| eval IsImageTransfer=if(match(_raw, "copy (tftp|ftp|scp|http|rcp):|archive (download-sw|copy-sw)|install add file|install activate"), 1, 0)
| eval IsBootManipulation=if(match(_raw, "boot system (flash|tftp|ftp|http)|no boot system|ROMMON_CONFIG|confreg 0x[0-9a-fA-F]"), 1, 0)
| eval IsIntegrityAlert=if(match(_raw, "INTEGRITY_FAILED|SIGNATURE_FAILED|hash mismatch|image verification failed|FLASH-4-WRITE_FAILED|FLASH-5-SIGNIFICANT_FLASH_ERASE"), 1, 0)
| eval IsFlashWrite=if(match(_raw, "(flash:|disk0:|bootflash:).*\.(bin|img|tar|pkg|tgz)"), 1, 0)
| eval SuspicionScore=IsImageTransfer + IsBootManipulation + IsIntegrityAlert + IsFlashWrite
| rex field=_raw "[Uu]ser[:\s]+(?P<ExtractedUser>[\w\\@\.\-]+)"
| rex field=_raw "logged command[:\s]+(?P<ExtractedCommand>.+?)$"
| rex field=_raw "(?:tftp|ftp|scp|http)://(?P<SourceTransferIP>[\d\.]+|[\w\-\.]+)/"
| rex field=_raw "%(?P<SyslogMnemonic>[A-Z0-9_\-]+-\d-[A-Z0-9_]+):"
| where SuspicionScore > 0
| table _time, host, ExtractedUser, ExtractedCommand, SourceTransferIP, SyslogMnemonic, IsImageTransfer, IsBootManipulation, IsIntegrityAlert, IsFlashWrite, SuspicionScore, _raw
| sort - SuspicionScore, - _time

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Device: Network Device Command Syslog from Cisco IOS/IOS-XE, Juniper JunOS, Palo Alto PAN-OS

Required Sourcetypes

cisco:ios cisco_syslog syslog juniper:junos:syslog

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated network management platforms (Cisco DNA Center, SolarWinds NCM, NetBrain) performing planned image management
Security audit scripts running verify commands to check image integrity — read-only, no actual modification
Device replacements or RMA processes where new hardware receives current production image
Network lab environments with frequent image changes for feature testing or validation

Elastic Security (EQL)

eql

any where event.dataset in ("system.syslog", "cisco.ios") and message : ("copy tftp*" or "copy ftp*" or "copy scp*" or "boot system flash*" or "boot system tftp*" or "install add file*" or "install activate*" or "INTEGRITY_FAILED*" or "SIGNATURE_FAILED*" or "FLASH-5-SIGNIFICANT_FLASH*")

critical severity medium confidence

Data Sources

Elastic Agent System integration Cisco IOS integration

Required Tables

logs-system.syslog-* logs-cisco.ios-*

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
Network device lab or staging environments with frequent image cycling for testing

IBM QRadar (AQL)

sql

SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' THEN 100 WHEN UTF8(payload) ILIKE '%copy tftp%' AND (UTF8(payload) ILIKE '%flash:%' OR UTF8(payload) ILIKE '%bootflash:%') THEN 80 WHEN UTF8(payload) ILIKE '%boot system%' AND (UTF8(payload) ILIKE '%.bin%' OR UTF8(payload) ILIKE '%.pkg%') THEN 75 WHEN UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%install add file%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Juniper Networks Junos') AND (UTF8(payload) ILIKE '%copy tftp%' OR UTF8(payload) ILIKE '%copy scp%' OR UTF8(payload) ILIKE '%copy ftp%' OR UTF8(payload) ILIKE '%boot system flash%' OR UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' OR UTF8(payload) ILIKE '%FLASH-5-SIGNIFICANT_FLASH%') ORDER BY "RiskScore" DESC LAST 24 HOURS

critical severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

events

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
Network device lab or staging environments with frequent image cycling for testing

Sumo Logic CSE

sql

_sourceCategory=network/cisco/ios OR _sourceCategory=network/devices/syslog | where _raw matches "*copy tftp*" or _raw matches "*copy scp*" or _raw matches "*copy ftp*" or _raw matches "*boot system flash*" or _raw matches "*install activate*" or _raw matches "*INTEGRITY_FAILED*" or _raw matches "*SIGNATURE_FAILED*" or _raw matches "*FLASH-5-SIGNIFICANT_FLASH*" | if(matches(_raw, "*INTEGRITY_FAILED*") or matches(_raw, "*SIGNATURE_FAILED*"), "Critical", if(matches(_raw, "*copy tftp*") or matches(_raw, "*copy scp*"), "High", "Medium")) as RiskLevel | count by _sourceHost, RiskLevel | sort by _count desc

critical severity medium confidence

Data Sources

Cisco IOS Syslog Network Device Syslog

Required Tables

network/cisco/ios network/devices/syslog

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
Network device lab or staging environments with frequent image cycling for testing

Google Chronicle / SecOps

yaral

rule detect_system_image_modification {
  meta:
    author = "Argus"
    description = "Detects network device OS image modification attempts"
    severity = "CRITICAL"
    technique = "T1601"
  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    $e.metadata.product_name = "Cisco IOS"
    (
      re.regex($e.network.session_id, `copy (tftp|ftp|scp)|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH`) nocase
    )
  condition:
    $e
}

critical severity medium confidence

Data Sources

Cisco IOS Syslog Juniper JunOS Syslog

Required Tables

NETWORK_UNCATEGORIZED

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
Network device lab or staging environments with frequent image cycling for testing

CrowdStrike LogScale (CQL)

cql

#event_simpleName=SyslogMessage
| Message = /copy (tftp|ftp|scp).*flash:|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH/i
| case {
    Message = /INTEGRITY_FAILED|SIGNATURE_FAILED/i | RiskLevel := "Critical";
    Message = /copy (tftp|ftp|scp).*flash:/i | RiskLevel := "High";
    Message = /boot system|install activate/i | RiskLevel := "High";
    * | RiskLevel := "Medium"
  }
| table([@timestamp, ComputerName, Message, RiskLevel])

critical severity medium confidence

Data Sources

Network Device Syslog (via Falcon LogScale)

Required Tables

SyslogMessage

False Positives

Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
Network device lab or staging environments with frequent image cycling for testing

Patch System Image

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections