Detect Downgrade System Image in Microsoft Sentinel
Adversaries may install an older version of the operating system of a network device to weaken its security posture. Older OS versions on network devices (Cisco IOS, Juniper JunOS, Palo Alto PAN-OS, Fortinet FortiOS) frequently have weaker encryption ciphers, unpatched vulnerabilities, and absent defensive features. On embedded devices, a downgrade typically requires replacing the OS image in flash storage and reconfiguring the boot system directive to point to the older file. The adversary downloads the target older image via TFTP, FTP, or SCP, overwrites or places it alongside the current image, and issues a 'boot system' change — either triggering an immediate reload or waiting for the next scheduled maintenance window. Downgrading enables follow-on techniques such as Weaken Encryption (T1600) and may be combined with Patch System Image (T1601.001) to install a backdoored older version. The SYNful Knock implant and Cisco IOS router compromise campaigns demonstrate this technique in real-world operations.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1601 Modify System Image
- Sub-technique
- T1601.002 Downgrade System Image
- Canonical reference
- https://attack.mitre.org/techniques/T1601/002/
KQL Detection Query
// T1601.002 — Downgrade System Image Detection
// Monitors syslog telemetry from network devices for indicators of OS image downgrade:
// (1) Image file transfers to flash/bootflash, (2) boot system directive changes pointing to older images,
// (3) reload/reboot commands following configuration changes, (4) version downgrade confirmed post-reload
let DowngradeIndicators = dynamic([
"copy tftp", "copy ftp", "copy scp", "copy http",
"boot system flash", "boot system bootflash", "boot system tftp",
"no boot system", "default boot system",
"archive download", "install add", "install activate",
"request system software", "request system reboot",
"set system image"
]);
let DeviceVendors = dynamic([
"ios", "iosxe", "iosxr", "junos", "panos", "fortios", "nxos", "eos"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Facility == "local7" or Facility == "local6" or SyslogMessage contains "SYS-" or SyslogMessage contains "CONFIG_I" or SyslogMessage contains "INSTALL"
| where SyslogMessage has_any (DowngradeIndicators)
or (SyslogMessage has "copy" and SyslogMessage has_any ("flash:", "bootflash:", "disk0:", "nvram:"))
or (SyslogMessage has "boot system" and SyslogMessage has_any (".bin", ".ova", ".qcow2", ".vmdk"))
or (SyslogMessage has "reload" and SyslogMessage has_any ("in ", "at ", "cancel"))
or (SyslogMessage has "install" and SyslogMessage has_any ("older", "previous", "rollback", "downgrade"))
| extend DeviceIP = Computer
| extend ParsedCommand = extract(@"(copy\s+\S+\s+\S+|boot\s+system\s+.+|install\s+\S+\s+\S+|request\s+system\s+.+)", 1, SyslogMessage)
| extend IsImageTransfer = SyslogMessage has_any ("copy tftp", "copy ftp", "copy scp", "copy http") and SyslogMessage has_any ("flash:", "bootflash:", "disk0:")
| extend IsBootChange = SyslogMessage has "boot system" and SyslogMessage has_any (".bin", ".tar", ".pkg")
| extend IsReloadScheduled = SyslogMessage has "reload" and (SyslogMessage has "in " or SyslogMessage has "at ")
| extend IsInstallOp = SyslogMessage has_any ("install add", "install activate", "archive download", "request system software")
| extend RiskScore = toint(IsImageTransfer) * 3 + toint(IsBootChange) * 3 + toint(IsReloadScheduled) * 1 + toint(IsInstallOp) * 2
| where RiskScore > 0
| project TimeGenerated, DeviceIP, SyslogMessage, ParsedCommand,
IsImageTransfer, IsBootChange, IsReloadScheduled, IsInstallOp, RiskScore
| sort by RiskScore desc, TimeGenerated descDetects network device OS image downgrade activity using Syslog telemetry ingested into Microsoft Sentinel. Monitors for image file transfer commands (TFTP/FTP/SCP copy to flash storage), boot system directive modifications pointing to image files, scheduled reload commands following configuration changes, and software install/activate operations. Uses a risk scoring system to prioritize alerts: image transfers and boot changes score highest (3 points each), install operations score 2, scheduled reloads score 1. Requires network devices to forward syslog to the Log Analytics workspace. TACACS+ command accounting (if available via CommonSecurityLog) provides higher-fidelity command-level telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
- Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management.
- Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
- Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
- Lab and test environment devices where engineers frequently swap between image versions for testing purposes.
Other platforms for T1601.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Image Transfer to Flash (Cisco IOS — TFTP Copy Command)
Expected signal: Syslog message containing 'copy tftp' and 'flash:' forwarded to the collector. Message format: '%SYS-5-CONFIG_I: Configured from console by <user> on <interface>' followed by copy initiation message. The SIEM should receive log entries matching the image transfer pattern within 30 seconds of command execution.
- Test 2Simulate Boot System Directive Change to Older Image
Expected signal: Syslog %SYS-5-CONFIG_I message indicating configuration change via console or vty. The boot system command itself may appear in TACACS+ accounting logs. On devices with enhanced logging: 'PARSER-5-CFGLOG_LOGGEDCMD: User logged command stem boot system flash:c7200-advipservicesk9-mz.122-55.bin'.
- Test 3Simulate Reload Scheduling After Image Staging (Cisco IOS)
Expected signal: Syslog message: '%SYS-5-RELOAD: Reload requested by <user> on <line>. Reload Reason: Reload Command.' followed by '%SYS-5-RELOAD_CANCEL: <user> cancel reload process'. Both messages are forwarded to the SIEM and should be visible within seconds.
- Test 4Verify Image Integrity Baseline (Cisco IOS — MD5 Hash Check)
Expected signal: The 'verify /md5' command generates a syslog message on completion: '%SYS-5-CONFIG_I' may appear if run from privilege exec, or a direct console output showing the computed hash. No network events are generated by the hash verification itself. The hash output is captured in the terminal session/TACACS+ accounting log.
- Test 5Juniper JunOS — Request System Software Downgrade Simulation
Expected signal: Juniper syslog message: 'UI_CMDLINE_READ_LINE: User <user>, Command request system software add ...' (from JUNOS SYSLOG). On Junos devices, all CLI commands are logged to syslog when command logging is enabled. The message will contain 'request system software' matching the InstallOp detection pattern.
References (9)
- https://attack.mitre.org/techniques/T1601/002/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html
- https://www.cisco.com/c/en/us/about/security-center/ios-integrity-assurance.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1601.002/T1601.002.md
- https://www.mandiant.com/resources/synful-knock-acis
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3850-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_011.html
- https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/request-system-software-add.html
Unlock Pro Content
Get the full detection package for T1601.002 including response playbook, investigation guide, and atomic red team tests.