T1601 Microsoft Sentinel · KQL

Detect Modify System Image in Microsoft Sentinel

This detection identifies adversary attempts to modify the operating system image of embedded network devices such as routers, switches, and firewalls. Adversaries may replace or patch the monolithic OS binary to weaken defenses, implant backdoors, or add new capabilities. Detection focuses on unauthorized TFTP/SCP image transfers to network devices, unexpected system image version changes logged via syslog, privilege escalation events on device management interfaces, and anomalous file copy operations on network management hosts. Both live in-memory modifications and persistent storage-based changes (applied on next boot) are targeted.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1601 Modify System Image
Canonical reference
https://attack.mitre.org/techniques/T1601/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let NetworkDeviceImageKeywords = dynamic(["copy tftp", "copy ftp", "copy scp", "copy flash", "copy bootflash", "archive tar", "boot system flash", "boot system tftp", "verify /md5", "upgrade fpd", "install add file", "install activate", "request system software", "issu changeversion", "image upgrade"]);
let SyslogImageEvents = Syslog
| where Facility == "local7" or Facility == "local6" or SyslogMessage has_any ("FILESYS", "SYS-6-BOOTTIME", "SYS-5-RELOAD", "IMAGE", "INSTALL", "IOS_RESILIENCE")
| where SyslogMessage has_any ("copy", "upgrade", "install", "boot", "flash", "tftp", "verify", "archive")
| extend DeviceVendor = extract(@"^(\S+)", 1, Computer)
| project TimeGenerated, Computer, HostName, HostIP, SyslogMessage, ProcessName, Severity, Facility;
let CefImageEvents = CommonSecurityLog
| where DeviceVendor in~ ("Cisco", "Juniper", "Palo Alto Networks", "Fortinet", "F5", "Arista", "HPE", "Huawei")
| where Activity has_any ("image", "upgrade", "install", "copy", "boot", "firmware", "flash", "reload")
  or Message has_any (NetworkDeviceImageKeywords)
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceVersion, Activity, Message, SourceIP, DestinationIP, DestinationPort, SourceUserName, ExternalID;
let TftpTransfers = DeviceNetworkEvents
| where RemotePort == 69 or InitiatingProcessCommandLine has "tftp"
| where InitiatingProcessCommandLine has_any (".bin", ".img", ".tar", ".pkg", ".spa", ".vm", ".swx")
| extend SuspiciousImageTransfer = iff(InitiatingProcessCommandLine has_any ("tftp", "scp", "ftp") and InitiatingProcessCommandLine has_any (".bin", ".img", ".tar", ".pkg"), true, false)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, RemoteIP, RemotePort, SuspiciousImageTransfer, InitiatingProcessAccountName;
let ManagementHostActivity = DeviceProcessEvents
| where ProcessCommandLine has_any ("copy tftp:", "copy scp:", "copy ftp:", "send-image", "tftpd", "cisco-image", "ios-image", "nxos", "junos-upgrade")
  or FileName has_any ("tftp", "tftpd", "tftpboot")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ParentProcessName;
union kind=outer isfuzzy=true SyslogImageEvents, CefImageEvents, TftpTransfers, ManagementHostActivity
| extend AlertSeverity = case(
    isnotempty(SuspiciousImageTransfer) and SuspiciousImageTransfer == true, "High",
    SyslogMessage has_any ("SYS-5-RELOAD", "SYS-6-BOOTTIME", "IOS_RESILIENCE-3"), "High",
    Activity has_any ("firmware", "upgrade", "install") or Message has_any ("boot system", "install add"), "Medium",
    "Low"
)
| where AlertSeverity != "Low"
| sort by TimeGenerated desc
high severity medium confidence

Detects network device OS image modification attempts by correlating syslog messages from network infrastructure (Cisco IOS/NX-OS, Juniper JunOS, etc.) indicating image copy/upgrade/install operations, TFTP transfers of binary image files from management hosts, and CEF-formatted logs from security devices reporting firmware or image changes. Covers both in-memory live modifications and storage-based changes queued for next boot.

Data Sources

Microsoft Sentinel SyslogMicrosoft Defender for EndpointCommon Event Format (CEF) Connector

Required Tables

SyslogCommonSecurityLogDeviceNetworkEventsDeviceProcessEvents

False Positives & Tuning

  • Authorized network engineers performing scheduled firmware upgrades during maintenance windows via TFTP/SCP
  • Network management platforms (Cisco Prime, SolarWinds, Ansible AWX) performing automated image distribution and version compliance enforcement
  • Legitimate disaster recovery operations restoring a known-good baseline image after hardware failure
  • Vendor-assisted software update procedures conducted by authorized third-party contractors with change tickets
Download portable Sigma rule (.yml)

Other platforms for T1601

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Unauthorized IOS Image Copy via TFTP on Management Host

    Expected signal: DeviceNetworkEvents: UDP port 69 connection attempt to target IP. DeviceProcessEvents: atftp process with command line containing .bin filename. Syslog: copy tftp message.

  2. Test 2Inject Cisco IOS System Image Modification Syslog Messages

    Expected signal: Syslog table in Microsoft Sentinel (or Splunk syslog index) should receive entries with FILESYS, SYS-5-RELOAD, and SYS-6-BOOTTIME facility/message patterns from ROUTER-01.

  3. Test 3Network Device Image Downgrade Simulation via SNMP Write

    Expected signal: CommonSecurityLog or Syslog: SNMP write attempts to network device. Syslog: MGMTBOOTERROR and downgrade notification messages. DeviceNetworkEvents: SNMP (UDP 161/162) traffic to test device.

Last updated: 2026-03-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1601 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1601.001Patch System ImageT1601.002Downgrade System ImageT1556.003Pluggable Authentication ModulesT1205.002Socket FiltersT1027.011Fileless StorageT1578.004Revert Cloud InstanceT1564.012File/Path ExclusionsT1055.011Extra Window Memory InjectionT1218.011Rundll32T1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Defense Evasion

Popular Detections