title: TFTP Boot (T1542.005) id: df00tech-t1542-005 status: experimental description: "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality." references: - https://attack.mitre.org/techniques/T1542/005/ - https://df00tech.com/detections/T1542.005 author: df00tech date: 2026/04/20 tags: - attack.t1542.005 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: network_connection product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate network operations teams performing scheduled IOS upgrades via TFTP from authorized network management servers (e.g., Cisco Prime, SolarWinds NCM)" - Password recovery procedures — IOS password recovery requires setting config-register to 0x2142 (ROMMON bypass) which overlaps with TFTP boot register values - Lab or test environment provisioning where TFTP netbooting is intentionally used for device imaging - "Automated configuration management platforms (Cisco NSO, Ansible) that push boot system commands as part of standardized device hardening baselines" - Network device replacement/RMA procedures where a new device is imaged via TFTP before being deployed into production level: critical