T1601 IBM QRadar · QRadar

Detect Modify System Image in IBM QRadar

This detection identifies adversary attempts to modify the operating system image of embedded network devices such as routers, switches, and firewalls. Adversaries may replace or patch the monolithic OS binary to weaken defenses, implant backdoors, or add new capabilities. Detection focuses on unauthorized TFTP/SCP image transfers to network devices, unexpected system image version changes logged via syslog, privilege escalation events on device management interfaces, and anomalous file copy operations on network management hosts. Both live in-memory modifications and persistent storage-based changes (applied on next boot) are targeted.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1601 Modify System Image
Canonical reference
https://attack.mitre.org/techniques/T1601/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' THEN 100 WHEN UTF8(payload) ILIKE '%copy tftp%' AND (UTF8(payload) ILIKE '%flash:%' OR UTF8(payload) ILIKE '%bootflash:%') THEN 80 WHEN UTF8(payload) ILIKE '%boot system%' AND (UTF8(payload) ILIKE '%.bin%' OR UTF8(payload) ILIKE '%.pkg%') THEN 75 WHEN UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%install add file%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Juniper Networks Junos') AND (UTF8(payload) ILIKE '%copy tftp%' OR UTF8(payload) ILIKE '%copy scp%' OR UTF8(payload) ILIKE '%copy ftp%' OR UTF8(payload) ILIKE '%boot system flash%' OR UTF8(payload) ILIKE '%install activate%' OR UTF8(payload) ILIKE '%INTEGRITY_FAILED%' OR UTF8(payload) ILIKE '%SIGNATURE_FAILED%' OR UTF8(payload) ILIKE '%FLASH-5-SIGNIFICANT_FLASH%') ORDER BY "RiskScore" DESC LAST 24 HOURS
high severity medium confidence

IBM QRadar AQL translation of the T1601 detection. Uses SQL-like syntax with risk scoring. Detects network device OS image modification attempts by correlating syslog messages from network in

Data Sources

Network Device SyslogCisco IOSJuniper JunOS

Required Tables

events

False Positives & Tuning

  • Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
  • Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
  • Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
  • Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets
Download portable Sigma rule (.yml)

Other platforms for T1601

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Unauthorized IOS Image Copy via TFTP on Management Host

    Expected signal: DeviceNetworkEvents: UDP port 69 connection attempt to target IP. DeviceProcessEvents: atftp process with command line containing .bin filename. Syslog: copy tftp message.

  2. Test 2Inject Cisco IOS System Image Modification Syslog Messages

    Expected signal: Syslog table in Microsoft Sentinel (or Splunk syslog index) should receive entries with FILESYS, SYS-5-RELOAD, and SYS-6-BOOTTIME facility/message patterns from ROUTER-01.

  3. Test 3Network Device Image Downgrade Simulation via SNMP Write

    Expected signal: CommonSecurityLog or Syslog: SNMP write attempts to network device. Syslog: MGMTBOOTERROR and downgrade notification messages. DeviceNetworkEvents: SNMP (UDP 161/162) traffic to test device.

Last updated: 2026-03-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1601 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1601.001Patch System ImageT1601.002Downgrade System ImageT1556.003Pluggable Authentication ModulesT1205.002Socket FiltersT1027.011Fileless StorageT1578.004Revert Cloud InstanceT1564.012File/Path ExclusionsT1055.011Extra Window Memory InjectionT1218.011Rundll32T1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Defense Evasion

Popular Detections