title: ROMMONkit (T1542.004)
id: df00tech-t1542-004
status: experimental
description: "Adversaries may abuse the ROM Monitor (ROMMON) by loading unauthorized firmware with adversary code to provide persistent access and manipulate Cisco network device behavior in a way that is extremely difficult to detect. ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. An adversary may upgrade the ROMMON image locally or remotely via TFTP with adversary code and restart the device to overwrite the existing ROMMON image. This provides persistence that survives IOS upgrades and standard remediation, and has been observed in the wild via the SYNful Knock implant campaign targeting Cisco ISR routers. Because ROMMON executes before the operating system loads, malicious code embedded at this layer can intercept and modify IOS behavior, inject backdoors, and evade integrity checks."
references:
  - https://attack.mitre.org/techniques/T1542/004/
  - https://df00tech.com/detections/T1542.004
author: df00tech
date: 2026/04/20
tags:
  - attack.t1542.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate ROMMON upgrades performed by network engineering teams during planned maintenance windows — correlate against change management tickets
  - Authorized IOS image upgrades via TFTP during software lifecycle management cycles that log BOOT variable changes
  - Network device password recovery procedures using confreg 0x2142 performed by authorized administrators
  - "Automated configuration management platforms (Cisco DNA Center, RANCID, Oxidized) that perform TFTP-based image pushes as part of normal operations"
level: critical