Detect Modify System Image in Splunk
This detection identifies adversary attempts to modify the operating system image of embedded network devices such as routers, switches, and firewalls. Adversaries may replace or patch the monolithic OS binary to weaken defenses, implant backdoors, or add new capabilities. Detection focuses on unauthorized TFTP/SCP image transfers to network devices, unexpected system image version changes logged via syslog, privilege escalation events on device management interfaces, and anomalous file copy operations on network management hosts. Both live in-memory modifications and persistent storage-based changes (applied on next boot) are targeted.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1601 Modify System Image
- Canonical reference
- https://attack.mitre.org/techniques/T1601/
SPL Detection Query
index=network_devices OR index=syslog OR index=cisco_ios
(sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="cisco:nxos" OR sourcetype="juniper:junos" OR sourcetype="fortinet:fortigate" OR sourcetype="paloalto:firewall")
| eval raw_lower=lower(_raw)
| search raw_lower IN ("*copy tftp*", "*copy ftp*", "*copy scp*", "*boot system flash*", "*boot system tftp*", "*install add file*", "*install activate*", "*upgrade fpd*", "*request system software*", "*issu changeversion*", "*ios_resilience*", "*sys-5-reload*", "*sys-6-boottime*", "*verify /md5*", "*archive tar*", "*image download*", "*firmware upgrade*", "*.bin*", "*bootflash*")
| rex field=_raw "(?i)(copy|install|upgrade|boot\s+system|verify)\s+(?<ImageOperation>[^\s]+(?:\s+[^\s]+)?)"
| rex field=_raw "(?i)(?<ImageFile>[\w\-\.]+\.(?:bin|img|tar|pkg|spa|vm|swx|vmdk))"
| rex field=host "(?<DeviceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval DeviceIdentifier=coalesce(host, src_ip, DeviceIP, "unknown")
| eval OperationRisk=case(
match(raw_lower, "sys-5-reload|sys-6-boottime|ios_resilience-3|verify.*md5"), "HIGH",
match(raw_lower, "install activate|issu changeversion|request system software"), "HIGH",
match(raw_lower, "copy tftp|copy scp|copy ftp") AND match(raw_lower, "\.bin|\.img|\.tar|\.pkg"), "HIGH",
match(raw_lower, "boot system flash|boot system tftp"), "MEDIUM",
match(raw_lower, "upgrade fpd|firmware upgrade|image download"), "MEDIUM",
true(), "LOW"
)
| where OperationRisk IN ("HIGH", "MEDIUM")
| eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count AS EventCount,
values(ImageOperation) AS Operations,
values(ImageFile) AS ImageFiles,
values(OperationRisk) AS RiskLevels,
earliest(_time) AS FirstSeen,
latest(_time) AS LastSeen
BY DeviceIdentifier, sourcetype
| eval DurationMinutes=round((LastSeen - FirstSeen) / 60, 2)
| eval RiskScore=case(
mvcount(ImageFiles) > 1, 90,
mvfind(RiskLevels, "HIGH") >= 0, 75,
true(), 50
)
| where RiskScore >= 50
| sort - RiskScore
| table DeviceIdentifier, sourcetype, EventCount, Operations, ImageFiles, RiskLevels, RiskScore, DurationMinutes, FirstSeen, LastSeenCorrelates network device syslog messages across Cisco IOS/NX-OS, Juniper JunOS, Fortinet, and Palo Alto platforms to identify system image modification operations including TFTP/SCP image transfers, IOS resilience tamper events, image install/activate commands, and boot system configuration changes pointing to new image files. Scores events by risk level and aggregates by device to surface systematic image replacement campaigns.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Scheduled maintenance window image upgrades performed by authorized network operations center (NOC) personnel
- Automated network compliance tools (Cisco DNA Center, NetBrain, Ansible) enforcing approved image versions
- Vendor-initiated upgrade procedures following published EOL/EOS advisories with change management approval
- Disaster recovery restoration of known-good images following hardware replacement
Other platforms for T1601
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Unauthorized IOS Image Copy via TFTP on Management Host
Expected signal: DeviceNetworkEvents: UDP port 69 connection attempt to target IP. DeviceProcessEvents: atftp process with command line containing .bin filename. Syslog: copy tftp message.
- Test 2Inject Cisco IOS System Image Modification Syslog Messages
Expected signal: Syslog table in Microsoft Sentinel (or Splunk syslog index) should receive entries with FILESYS, SYS-5-RELOAD, and SYS-6-BOOTTIME facility/message patterns from ROUTER-01.
- Test 3Network Device Image Downgrade Simulation via SNMP Write
Expected signal: CommonSecurityLog or Syslog: SNMP write attempts to network device. Syslog: MGMTBOOTERROR and downgrade notification messages. DeviceNetworkEvents: SNMP (UDP 161/162) traffic to test device.
References (8)
- https://attack.mitre.org/techniques/T1601/
- https://attack.mitre.org/techniques/T1601/001/
- https://attack.mitre.org/techniques/T1601/002/
- https://blogs.cisco.com/security/synful-knock
- https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
- https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12839-ios-integrity.html
- https://www.cisa.gov/sites/default/files/publications/Network_Device_Integrity_NDI_Methodology.pdf
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book/sec-usr-aaa-xe-16-book_chapter_01.html
Unlock Pro Content
Get the full detection package for T1601 including response playbook, investigation guide, and atomic red team tests.