T1601.001 Splunk · SPL

Detect Patch System Image in Splunk

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. On monolithic-architecture devices such as Cisco IOS routers, Juniper JunOS appliances, and Palo Alto PAN-OS firewalls, the entire OS resides in a single image file. Adversaries can overwrite or supplement this image in flash storage using standard device management protocols (TFTP, FTP, SCP, HTTP), or manipulate the running OS directly in memory using native debug commands or malicious bootloader code implanted via ROMMONkit. Patching the system image allows adversaries to disable encryption (T1600), weaken authentication (T1556.004), bridge network boundaries (T1599), add keylogging (T1056.001), establish covert proxies (T1090.003), or falsify command output to hide the compromise. SYNful Knock is the most prominent real-world example, inserting a backdoored IOS image onto Cisco 1841, 2811, and 3825 routers. Patching in storage survives reboots; patching only in memory does not unless combined with a persistent bootloader implant.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1601 Modify System Image
Sub-technique
T1601.001 Patch System Image
Canonical reference
https://attack.mitre.org/techniques/T1601/001/

SPL Detection Query

Splunk (SPL)
spl 
index=network (sourcetype="cisco:ios" OR sourcetype="cisco_syslog" OR sourcetype="syslog" OR sourcetype="juniper:junos:syslog" OR sourcetype="pan:log")
(
  ("copy tftp" OR "copy ftp" OR "copy scp" OR "copy http" OR "archive download-sw" OR "archive copy-sw" OR "install add file" OR "install activate")
  OR ("boot system flash" OR "boot system tftp" OR "boot system ftp" OR "no boot system" OR "ROMMON_CONFIG" OR "confreg 0x")
  OR ("INTEGRITY_FAILED" OR "SIGNATURE_FAILED" OR "hash mismatch" OR "image verification failed" OR "FLASH-4-WRITE_FAILED" OR "FLASH-5-SIGNIFICANT_FLASH_ERASE")
  OR (("flash:" OR "disk0:" OR "bootflash:") AND (".bin" OR ".img" OR ".tar" OR ".pkg" OR ".tgz"))
)
| eval IsImageTransfer=if(match(_raw, "copy (tftp|ftp|scp|http|rcp):|archive (download-sw|copy-sw)|install add file|install activate"), 1, 0)
| eval IsBootManipulation=if(match(_raw, "boot system (flash|tftp|ftp|http)|no boot system|ROMMON_CONFIG|confreg 0x[0-9a-fA-F]"), 1, 0)
| eval IsIntegrityAlert=if(match(_raw, "INTEGRITY_FAILED|SIGNATURE_FAILED|hash mismatch|image verification failed|FLASH-4-WRITE_FAILED|FLASH-5-SIGNIFICANT_FLASH_ERASE"), 1, 0)
| eval IsFlashWrite=if(match(_raw, "(flash:|disk0:|bootflash:).*\.(bin|img|tar|pkg|tgz)"), 1, 0)
| eval SuspicionScore=IsImageTransfer + IsBootManipulation + IsIntegrityAlert + IsFlashWrite
| rex field=_raw "[Uu]ser[:\s]+(?P<ExtractedUser>[\w\\@\.\-]+)"
| rex field=_raw "logged command[:\s]+(?P<ExtractedCommand>.+?)$"
| rex field=_raw "(?:tftp|ftp|scp|http)://(?P<SourceTransferIP>[\d\.]+|[\w\-\.]+)/"
| rex field=_raw "%(?P<SyslogMnemonic>[A-Z0-9_\-]+-\d-[A-Z0-9_]+):"
| where SuspicionScore > 0
| table _time, host, ExtractedUser, ExtractedCommand, SourceTransferIP, SyslogMnemonic, IsImageTransfer, IsBootManipulation, IsIntegrityAlert, IsFlashWrite, SuspicionScore, _raw
| sort - SuspicionScore, - _time
critical severity medium confidence

Detects network device OS image patching in Splunk using syslog data from Cisco IOS, Juniper JunOS, and Palo Alto PAN-OS devices. Evaluates raw syslog messages against four indicator categories — image file transfers, boot configuration manipulation, integrity/signature failures, and flash storage writes with image file extensions — assigning a cumulative suspicion score. Extracts key forensic fields: executing user (from TACACS+ command accounting via CFGLOG_LOGGEDCMD), full command text, transfer source IP, and Cisco syslog mnemonic code. Higher scores (2+) indicate compound IOCs warranting immediate escalation.

Data Sources

Network Device: Network Device ConfigurationNetwork Device: Network Device CommandSyslog from Cisco IOS/IOS-XE, Juniper JunOS, Palo Alto PAN-OS

Required Sourcetypes

cisco:ioscisco_syslogsyslogjuniper:junos:syslog

False Positives & Tuning

  • Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
  • Automated network management platforms (Cisco DNA Center, SolarWinds NCM, NetBrain) performing planned image management
  • Security audit scripts running verify commands to check image integrity — read-only, no actual modification
  • Device replacements or RMA processes where new hardware receives current production image
  • Network lab environments with frequent image changes for feature testing or validation
Download portable Sigma rule (.yml)

Other platforms for T1601.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Current Boot Image and Flash Contents (Audit)

    Expected signal: TACACS+ accounting logs will record SSH login and the four show commands under the authorized username. Cisco IOS SYS-6-TTY_EXPIRE_TIMER or similar session management syslog generated. AAD/RADIUS logs will show a successful authentication event. No CFGLOG_LOGGEDCMD entries — show commands are not configuration commands and will not appear in the archive log.

  2. Test 2Verify Image Integrity Against Known-Good Hash

    Expected signal: TACACS+ command accounting: username executed 'verify /md5 flash:<image>' (privilege EXEC command, not configuration — may not appear in CFGLOG). Syslog from device may include a syslog message with the computed hash. If the hash mismatches, Cisco IOS may generate a SIGNATURE_FAILED or similar integrity alert depending on version and configuration.

  3. Test 3Simulate Malicious Image Transfer Command (TFTP to Flash)

    Expected signal: PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:copy tftp://192.168.1.50/test-image-nonexistent.bin flash:test-image-nonexistent.bin — this syslog entry is generated even if the TFTP transfer fails. SYS-5-CONFIG_I may also be generated. TACACS+ accounting records the copy command with user attribution, timestamp, and source terminal.

  4. Test 4Simulate Boot Configuration Change to Secondary Image

    Expected signal: PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:boot system flash:argus-test-image.bin — captured by Cisco IOS archive logging. SYS-5-CONFIG_I: Configured from vty0 by admin. Both entries appear in syslog and TACACS+ command accounting.

  5. Test 5Audit Multiple Devices for Dual Images and Boot Anomalies (Bulk Hunt)

    Expected signal: TACACS+ command accounting will record three show commands per device (show flash, show boot, show version). No CFGLOG_LOGGEDCMD entries (read-only). SSH session initiation/termination syslog per device. The script output itself is the primary forensic artifact — any device reporting dual images or unexpected boot configuration requires immediate escalation.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1601.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1601Modify System Image

Related Sub-techniques

T1601.002Downgrade System Image

Related Techniques

T1601Modify System ImageT1601.002Downgrade System ImageT1542.004ROMMONkitT1542.005TFTP BootT1600Weaken EncryptionT1556.004Network Device AuthenticationT1599Network Boundary BridgingT1090.003Multi-hop ProxyT1056.001KeyloggingT1040Network Sniffing

Same Tactic: Defense Evasion

Popular Detections