Detect Patch System Image in Microsoft Sentinel
Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. On monolithic-architecture devices such as Cisco IOS routers, Juniper JunOS appliances, and Palo Alto PAN-OS firewalls, the entire OS resides in a single image file. Adversaries can overwrite or supplement this image in flash storage using standard device management protocols (TFTP, FTP, SCP, HTTP), or manipulate the running OS directly in memory using native debug commands or malicious bootloader code implanted via ROMMONkit. Patching the system image allows adversaries to disable encryption (T1600), weaken authentication (T1556.004), bridge network boundaries (T1599), add keylogging (T1056.001), establish covert proxies (T1090.003), or falsify command output to hide the compromise. SYNful Knock is the most prominent real-world example, inserting a backdoored IOS image onto Cisco 1841, 2811, and 3825 routers. Patching in storage survives reboots; patching only in memory does not unless combined with a persistent bootloader implant.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1601 Modify System Image
- Sub-technique
- T1601.001 Patch System Image
- Canonical reference
- https://attack.mitre.org/techniques/T1601/001/
KQL Detection Query
let ImageTransferCommands = dynamic([
"copy tftp", "copy ftp", "copy scp", "copy http", "copy https", "copy rcp",
"archive download-sw", "archive copy-sw", "install add file", "install activate",
"request system software add", "request system software validate"
]);
let BootManipulationPatterns = dynamic([
"boot system flash", "boot system tftp", "boot system ftp", "boot system http",
"no boot system", "ROMMON_CONFIG", "SETVAR", "confreg 0x", "rommon"
]);
let IntegrityAlerts = dynamic([
"INTEGRITY_FAILED", "SIGNATURE_FAILED", "hash mismatch", "image verification failed",
"FLASH-4-WRITE_FAILED", "FLASH-5-SIGNIFICANT_FLASH_ERASE", "tamper detected",
"SOFTWARE INTEGRITY", "IOS_RESILIENCE"
]);
let ImageFileExtensions = dynamic([".bin", ".img", ".ova", ".tar", ".pkg", ".tgz", ".qcow2"]);
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (ImageTransferCommands)
or SyslogMessage has_any (BootManipulationPatterns)
or SyslogMessage has_any (IntegrityAlerts)
or (SyslogMessage has_any (ImageFileExtensions) and (SyslogMessage has "flash:" or SyslogMessage has "disk0:" or SyslogMessage has "bootflash:"))
| extend IsImageTransfer = SyslogMessage has_any (ImageTransferCommands)
| extend IsBootManipulation = SyslogMessage has_any (BootManipulationPatterns)
| extend IsIntegrityAlert = SyslogMessage has_any (IntegrityAlerts)
| extend IsFlashWrite = SyslogMessage has_any (ImageFileExtensions) and (SyslogMessage has "flash:" or SyslogMessage has "disk0:" or SyslogMessage has "bootflash:")
| extend ExtractedUser = extract(@"[Uu]ser[:\s]+([\w\\@\.\-]+)", 1, SyslogMessage)
| extend ExtractedCommand = extract(@"logged command[:\s]+(.+?)$", 1, SyslogMessage)
| extend SourceTransferIP = extract(@"(?:tftp|ftp|scp|http)://([\d\.]+|[\w\-\.]+)/", 1, SyslogMessage)
| extend SyslogFacility = extract(@"%([A-Z_\-]+)-\d-", 1, SyslogMessage)
| project TimeGenerated, Computer, HostName, Facility, SeverityLevel,
SyslogMessage, ExtractedUser, ExtractedCommand, SourceTransferIP,
SyslogFacility, IsImageTransfer, IsBootManipulation, IsIntegrityAlert, IsFlashWrite
| sort by TimeGenerated descDetects network device OS image patching activity by monitoring syslog messages forwarded to Microsoft Sentinel. Identifies four key indicator categories: image file transfers via TFTP/FTP/SCP/HTTP to flash storage, boot system configuration changes pointing to new or alternate images, ROMMON variable manipulation, and integrity verification failures. Uses PARSER-5-CFGLOG_LOGGEDCMD (Cisco IOS archive logging) to capture individual configuration commands with user attribution. Extracts the executing user, full command, and transfer source IP for analyst enrichment. Covers Cisco IOS/IOS-XE, Juniper JunOS, and Palo Alto PAN-OS logging patterns.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
- Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes
- Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
- Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only
- Network device lab or staging environments with frequent image cycling for testing
Other platforms for T1601.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Current Boot Image and Flash Contents (Audit)
Expected signal: TACACS+ accounting logs will record SSH login and the four show commands under the authorized username. Cisco IOS SYS-6-TTY_EXPIRE_TIMER or similar session management syslog generated. AAD/RADIUS logs will show a successful authentication event. No CFGLOG_LOGGEDCMD entries — show commands are not configuration commands and will not appear in the archive log.
- Test 2Verify Image Integrity Against Known-Good Hash
Expected signal: TACACS+ command accounting: username executed 'verify /md5 flash:<image>' (privilege EXEC command, not configuration — may not appear in CFGLOG). Syslog from device may include a syslog message with the computed hash. If the hash mismatches, Cisco IOS may generate a SIGNATURE_FAILED or similar integrity alert depending on version and configuration.
- Test 3Simulate Malicious Image Transfer Command (TFTP to Flash)
Expected signal: PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:copy tftp://192.168.1.50/test-image-nonexistent.bin flash:test-image-nonexistent.bin — this syslog entry is generated even if the TFTP transfer fails. SYS-5-CONFIG_I may also be generated. TACACS+ accounting records the copy command with user attribution, timestamp, and source terminal.
- Test 4Simulate Boot Configuration Change to Secondary Image
Expected signal: PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:boot system flash:argus-test-image.bin — captured by Cisco IOS archive logging. SYS-5-CONFIG_I: Configured from vty0 by admin. Both entries appear in syslog and TACACS+ command accounting.
- Test 5Audit Multiple Devices for Dual Images and Boot Anomalies (Bulk Hunt)
Expected signal: TACACS+ command accounting will record three show commands per device (show flash, show boot, show version). No CFGLOG_LOGGEDCMD entries (read-only). SSH session initiation/termination syslog per device. The script output itself is the primary forensic artifact — any device reporting dual images or unexpected boot configuration requires immediate escalation.
References (10)
- https://attack.mitre.org/techniques/T1601/001/
- https://www.mandiant.com/resources/synful-knock-acis
- https://tools.cisco.com/security/center/resources/integrity_assurance.html
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
- https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf
- https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf
- https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf
- https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1601.001/T1601.001.md
Unlock Pro Content
Get the full detection package for T1601.001 including response playbook, investigation guide, and atomic red team tests.