T1601.002 Downgrade System Image Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1601.002 — Downgrade System Image Detection
// Monitors syslog telemetry from network devices for indicators of OS image downgrade:
// (1) Image file transfers to flash/bootflash, (2) boot system directive changes pointing to older images,
// (3) reload/reboot commands following configuration changes, (4) version downgrade confirmed post-reload
let DowngradeIndicators = dynamic([
  "copy tftp", "copy ftp", "copy scp", "copy http",
  "boot system flash", "boot system bootflash", "boot system tftp",
  "no boot system", "default boot system",
  "archive download", "install add", "install activate",
  "request system software", "request system reboot",
  "set system image"
]);
let DeviceVendors = dynamic([
  "ios", "iosxe", "iosxr", "junos", "panos", "fortios", "nxos", "eos"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Facility == "local7" or Facility == "local6" or SyslogMessage contains "SYS-" or SyslogMessage contains "CONFIG_I" or SyslogMessage contains "INSTALL"
| where SyslogMessage has_any (DowngradeIndicators)
    or (SyslogMessage has "copy" and SyslogMessage has_any ("flash:", "bootflash:", "disk0:", "nvram:"))
    or (SyslogMessage has "boot system" and SyslogMessage has_any (".bin", ".ova", ".qcow2", ".vmdk"))
    or (SyslogMessage has "reload" and SyslogMessage has_any ("in ", "at ", "cancel"))
    or (SyslogMessage has "install" and SyslogMessage has_any ("older", "previous", "rollback", "downgrade"))
| extend DeviceIP = Computer
| extend ParsedCommand = extract(@"(copy\s+\S+\s+\S+|boot\s+system\s+.+|install\s+\S+\s+\S+|request\s+system\s+.+)", 1, SyslogMessage)
| extend IsImageTransfer = SyslogMessage has_any ("copy tftp", "copy ftp", "copy scp", "copy http") and SyslogMessage has_any ("flash:", "bootflash:", "disk0:")
| extend IsBootChange = SyslogMessage has "boot system" and SyslogMessage has_any (".bin", ".tar", ".pkg")
| extend IsReloadScheduled = SyslogMessage has "reload" and (SyslogMessage has "in " or SyslogMessage has "at ")
| extend IsInstallOp = SyslogMessage has_any ("install add", "install activate", "archive download", "request system software")
| extend RiskScore = toint(IsImageTransfer) * 3 + toint(IsBootChange) * 3 + toint(IsReloadScheduled) * 1 + toint(IsInstallOp) * 2
| where RiskScore > 0
| project TimeGenerated, DeviceIP, SyslogMessage, ParsedCommand,
         IsImageTransfer, IsBootChange, IsReloadScheduled, IsInstallOp, RiskScore
| sort by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Traffic: Network Traffic Content Syslog (network device syslog forwarding)

Required Tables

Syslog CommonSecurityLog

False Positives

Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
Lab and test environment devices where engineers frequently swap between image versions for testing purposes.

Splunk

spl

index=syslog (sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="juniper" OR sourcetype="paloalto:firewall" OR sourcetype="fortinet:fortigate")
| eval msg=lower(_raw)
| eval ImageTransfer=if(match(msg, "copy\s+(tftp|ftp|scp|http|https).*bootflash:|copy\s+(tftp|ftp|scp|http|https).*flash:|copy\s+(tftp|ftp|scp|http|https).*disk0:"), 1, 0)
| eval BootSystemChange=if(match(msg, "boot\s+system\s+(flash|bootflash|tftp|disk0|bootdisk).*\.(bin|tar|pkg|ova|qcow2)"), 1, 0)
| eval NoBootSystem=if(match(msg, "no\s+boot\s+system"), 1, 0)
| eval ReloadScheduled=if(match(msg, "reload\s+(in|at)\s+[0-9]"), 1, 0)
| eval InstallOp=if(match(msg, "(install\s+add|install\s+activate|archive\s+download|request\s+system\s+software|request\s+system\s+reboot|set\s+system\s+image)"), 1, 0)
| eval RollbackOp=if(match(msg, "(rollback|downgrade|previous.*version|older.*image|install\s+rollback)"), 1, 0)
| eval SuspicionScore=ImageTransfer*3 + BootSystemChange*3 + NoBootSystem*2 + ReloadScheduled*1 + InstallOp*2 + RollbackOp*3
| where SuspicionScore > 0
| eval VendorHint=case(
    match(msg, "ios-xe|iosxe|catalyst|asr|isr"), "Cisco IOS-XE",
    match(msg, "junos|juniper|mx-|ex-|qfx|srx"), "Juniper JunOS",
    match(msg, "panos|pan-os|panorama"), "Palo Alto PAN-OS",
    match(msg, "fortios|fortigate|fortiswitch"), "Fortinet FortiOS",
    match(msg, "nxos|nexus|n9k|n7k"), "Cisco NX-OS",
    1==1, "Unknown"
  )
| table _time, host, sourcetype, VendorHint, _raw, ImageTransfer, BootSystemChange, NoBootSystem, ReloadScheduled, InstallOp, RollbackOp, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Network Device: Network Device Configuration Syslog (network device syslog forwarding) Cisco IOS syslog messages Juniper JunOS syslog Palo Alto PAN-OS syslog

Required Sourcetypes

syslog cisco:ios juniper paloalto:firewall fortinet:fortigate

False Positives

Authorized OS upgrade cycles where images are pre-staged to flash before a maintenance window cutover — the copy and boot system commands are expected.
Automated network lifecycle management platforms (Cisco DNA Center, Ansible AWX, SolarWinds NCM) executing planned image deployments.
Authorized rollback to a previous stable image after a failed upgrade during a maintenance window, documented in change management.
Lab/test devices where engineers iterate through multiple image versions for compatibility or QA testing.
ISSU (In-Service Software Upgrade) procedures on high-availability platforms where install add/activate sequences are part of normal non-disruptive upgrade workflows.

Elastic Security (EQL)

eql

any where event.dataset in ("system.syslog", "cisco.ios") and message : ("copy tftp*" or "copy ftp*" or "copy scp*" or "boot system flash*" or "boot system tftp*" or "install add file*" or "install activate*" or "INTEGRITY_FAILED*" or "SIGNATURE_FAILED*" or "FLASH-5-SIGNIFICANT_FLASH*")

high severity medium confidence

Data Sources

Elastic Agent System integration Cisco IOS integration

Required Tables

logs-system.syslog-* logs-cisco.ios-*

False Positives

Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
Lab and test environment devices where engineers frequently swap between image versions for testing purposes.

IBM QRadar (AQL)

sql

SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' THEN 100 WHEN UTF8(payload) ILIKE '%copy tftp%' AND (UTF8(payload) ILIKE '%flash:%' OR UTF8(payload) ILIKE '%bootflash:%') THEN 80 WHEN UTF8(payload) ILIKE '%boot system%' AND (UTF8(payload) ILIKE '%.bin%' OR UTF8(payload) ILIKE '%.pkg%') THEN 75 WHEN UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%install add file%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Juniper Networks Junos') AND (UTF8(payload) ILIKE '%copy tftp%' OR UTF8(payload) ILIKE '%copy scp%' OR UTF8(payload) ILIKE '%copy ftp%' OR UTF8(payload) ILIKE '%boot system flash%' OR UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' OR UTF8(payload) ILIKE '%FLASH-5-SIGNIFICANT_FLASH%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

events

False Positives

Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
Lab and test environment devices where engineers frequently swap between image versions for testing purposes.

Sumo Logic CSE

sql

_sourceCategory=network/cisco/ios OR _sourceCategory=network/devices/syslog | where _raw matches "*copy tftp*" or _raw matches "*copy scp*" or _raw matches "*copy ftp*" or _raw matches "*boot system flash*" or _raw matches "*install activate*" or _raw matches "*INTEGRITY_FAILED*" or _raw matches "*SIGNATURE_FAILED*" or _raw matches "*FLASH-5-SIGNIFICANT_FLASH*" | if(matches(_raw, "*INTEGRITY_FAILED*") or matches(_raw, "*SIGNATURE_FAILED*"), "Critical", if(matches(_raw, "*copy tftp*") or matches(_raw, "*copy scp*"), "High", "Medium")) as RiskLevel | count by _sourceHost, RiskLevel | sort by _count desc

high severity medium confidence

Data Sources

Cisco IOS Syslog Network Device Syslog

Required Tables

network/cisco/ios network/devices/syslog

False Positives

Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
Lab and test environment devices where engineers frequently swap between image versions for testing purposes.

Google Chronicle / SecOps

yaral

rule detect_system_image_modification {
  meta:
    author = "Argus"
    description = "Detects network device OS image modification attempts"
    severity = "CRITICAL"
    technique = "T1601"
  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    $e.metadata.product_name = "Cisco IOS"
    (
      re.regex($e.network.session_id, `copy (tftp|ftp|scp)|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Cisco IOS Syslog Juniper JunOS Syslog

Required Tables

NETWORK_UNCATEGORIZED

False Positives

Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
Lab and test environment devices where engineers frequently swap between image versions for testing purposes.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=SyslogMessage
| Message = /copy (tftp|ftp|scp).*flash:|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH/i
| case {
    Message = /INTEGRITY_FAILED|SIGNATURE_FAILED/i | RiskLevel := "Critical";
    Message = /copy (tftp|ftp|scp).*flash:/i | RiskLevel := "High";
    Message = /boot system|install activate/i | RiskLevel := "High";
    * | RiskLevel := "Medium"
  }
| table([@timestamp, ComputerName, Message, RiskLevel])

high severity medium confidence

Data Sources

Network Device Syslog (via Falcon LogScale)

Required Tables

SyslogMessage

False Positives

Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
Lab and test environment devices where engineers frequently swap between image versions for testing purposes.

Downgrade System Image

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections