Detect Modify System Image in Google Chronicle
This detection identifies adversary attempts to modify the operating system image of embedded network devices such as routers, switches, and firewalls. Adversaries may replace or patch the monolithic OS binary to weaken defenses, implant backdoors, or add new capabilities. Detection focuses on unauthorized TFTP/SCP image transfers to network devices, unexpected system image version changes logged via syslog, privilege escalation events on device management interfaces, and anomalous file copy operations on network management hosts. Both live in-memory modifications and persistent storage-based changes (applied on next boot) are targeted.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1601 Modify System Image
- Canonical reference
- https://attack.mitre.org/techniques/T1601/
YARA-L Detection Query
rule detect_system_image_modification {
meta:
author = "Argus"
description = "Detects network device OS image modification attempts"
severity = "CRITICAL"
technique = "T1601"
events:
$e.metadata.event_type = "NETWORK_UNCATEGORIZED"
$e.metadata.product_name = "Cisco IOS"
(
re.regex($e.network.session_id, `copy (tftp|ftp|scp)|boot system flash|install activate|INTEGRITY_FAILED|SIGNATURE_FAILED|FLASH-5-SIGNIFICANT_FLASH`) nocase
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for T1601 detection using UDM event types and field matching. Detects network device OS image modification attempts by correlating syslog messages from network in
Data Sources
Required Tables
False Positives & Tuning
- Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
- Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
- Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
- Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets
Other platforms for T1601
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Unauthorized IOS Image Copy via TFTP on Management Host
Expected signal: DeviceNetworkEvents: UDP port 69 connection attempt to target IP. DeviceProcessEvents: atftp process with command line containing .bin filename. Syslog: copy tftp message.
- Test 2Inject Cisco IOS System Image Modification Syslog Messages
Expected signal: Syslog table in Microsoft Sentinel (or Splunk syslog index) should receive entries with FILESYS, SYS-5-RELOAD, and SYS-6-BOOTTIME facility/message patterns from ROUTER-01.
- Test 3Network Device Image Downgrade Simulation via SNMP Write
Expected signal: CommonSecurityLog or Syslog: SNMP write attempts to network device. Syslog: MGMTBOOTERROR and downgrade notification messages. DeviceNetworkEvents: SNMP (UDP 161/162) traffic to test device.
References (8)
- https://attack.mitre.org/techniques/T1601/
- https://attack.mitre.org/techniques/T1601/001/
- https://attack.mitre.org/techniques/T1601/002/
- https://blogs.cisco.com/security/synful-knock
- https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
- https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12839-ios-integrity.html
- https://www.cisa.gov/sites/default/files/publications/Network_Device_Integrity_NDI_Methodology.pdf
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book/sec-usr-aaa-xe-16-book_chapter_01.html
Unlock Pro Content
Get the full detection package for T1601 including response playbook, investigation guide, and atomic red team tests.