Detect Downgrade System Image in IBM QRadar
Adversaries may install an older version of the operating system of a network device to weaken its security posture. Older OS versions on network devices (Cisco IOS, Juniper JunOS, Palo Alto PAN-OS, Fortinet FortiOS) frequently have weaker encryption ciphers, unpatched vulnerabilities, and absent defensive features. On embedded devices, a downgrade typically requires replacing the OS image in flash storage and reconfiguring the boot system directive to point to the older file. The adversary downloads the target older image via TFTP, FTP, or SCP, overwrites or places it alongside the current image, and issues a 'boot system' change — either triggering an immediate reload or waiting for the next scheduled maintenance window. Downgrading enables follow-on techniques such as Weaken Encryption (T1600) and may be combined with Patch System Image (T1601.001) to install a backdoored older version. The SYNful Knock implant and Cisco IOS router compromise campaigns demonstrate this technique in real-world operations.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1601 Modify System Image
- Sub-technique
- T1601.002 Downgrade System Image
- Canonical reference
- https://attack.mitre.org/techniques/T1601/002/
QRadar Detection Query
SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' THEN 100 WHEN UTF8(payload) ILIKE '%copy tftp%' AND (UTF8(payload) ILIKE '%flash:%' OR UTF8(payload) ILIKE '%bootflash:%') THEN 80 WHEN UTF8(payload) ILIKE '%boot system%' AND (UTF8(payload) ILIKE '%.bin%' OR UTF8(payload) ILIKE '%.pkg%') THEN 75 WHEN UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%install add file%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Juniper Networks Junos') AND (UTF8(payload) ILIKE '%copy tftp%' OR UTF8(payload) ILIKE '%copy scp%' OR UTF8(payload) ILIKE '%copy ftp%' OR UTF8(payload) ILIKE '%boot system flash%' OR UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' OR UTF8(payload) ILIKE '%FLASH-5-SIGNIFICANT_FLASH%') ORDER BY "RiskScore" DESC LAST 24 HOURSIBM QRadar AQL translation of the T1601.002 detection. Uses SQL-like syntax with risk scoring. Detects network device OS image downgrade activity using Syslog telemetry ingested into Microsoft Se
Data Sources
Required Tables
False Positives & Tuning
- Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
- Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
- Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
- Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
- Lab and test environment devices where engineers frequently swap between image versions for testing purposes.
Other platforms for T1601.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Image Transfer to Flash (Cisco IOS — TFTP Copy Command)
Expected signal: Syslog message containing 'copy tftp' and 'flash:' forwarded to the collector. Message format: '%SYS-5-CONFIG_I: Configured from console by <user> on <interface>' followed by copy initiation message. The SIEM should receive log entries matching the image transfer pattern within 30 seconds of command execution.
- Test 2Simulate Boot System Directive Change to Older Image
Expected signal: Syslog %SYS-5-CONFIG_I message indicating configuration change via console or vty. The boot system command itself may appear in TACACS+ accounting logs. On devices with enhanced logging: 'PARSER-5-CFGLOG_LOGGEDCMD: User logged command stem boot system flash:c7200-advipservicesk9-mz.122-55.bin'.
- Test 3Simulate Reload Scheduling After Image Staging (Cisco IOS)
Expected signal: Syslog message: '%SYS-5-RELOAD: Reload requested by <user> on <line>. Reload Reason: Reload Command.' followed by '%SYS-5-RELOAD_CANCEL: <user> cancel reload process'. Both messages are forwarded to the SIEM and should be visible within seconds.
- Test 4Verify Image Integrity Baseline (Cisco IOS — MD5 Hash Check)
Expected signal: The 'verify /md5' command generates a syslog message on completion: '%SYS-5-CONFIG_I' may appear if run from privilege exec, or a direct console output showing the computed hash. No network events are generated by the hash verification itself. The hash output is captured in the terminal session/TACACS+ accounting log.
- Test 5Juniper JunOS — Request System Software Downgrade Simulation
Expected signal: Juniper syslog message: 'UI_CMDLINE_READ_LINE: User <user>, Command request system software add ...' (from JUNOS SYSLOG). On Junos devices, all CLI commands are logged to syslog when command logging is enabled. The message will contain 'request system software' matching the InstallOp detection pattern.
References (9)
- https://attack.mitre.org/techniques/T1601/002/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html
- https://www.cisco.com/c/en/us/about/security-center/ios-integrity-assurance.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1601.002/T1601.002.md
- https://www.mandiant.com/resources/synful-knock-acis
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3850-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_011.html
- https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/request-system-software-add.html
Unlock Pro Content
Get the full detection package for T1601.002 including response playbook, investigation guide, and atomic red team tests.