title: Patch System Image (T1601.001)
id: df00tech-t1601-001
status: experimental
description: "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. On monolithic-architecture devices such as Cisco IOS routers, Juniper JunOS appliances, and Palo Alto PAN-OS firewalls, the entire OS resides in a single image file. Adversaries can overwrite or supplement this image in flash storage using standard device management protocols (TFTP, FTP, SCP, HTTP), or manipulate the running OS directly in memory using native debug commands or malicious bootloader code implanted via ROMMONkit. Patching the system image allows adversaries to disable encryption (T1600), weaken authentication (T1556.004), bridge network boundaries (T1599), add keylogging (T1056.001), establish covert proxies (T1090.003), or falsify command output to hide the compromise. SYNful Knock is the most prominent real-world example, inserting a backdoored IOS image onto Cisco 1841, 2811, and 3825 routers. Patching in storage survives reboots; patching only in memory does not unless combined with a persistent bootloader implant."
references:
  - https://attack.mitre.org/techniques/T1601/001/
  - https://df00tech.com/detections/T1601.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1601.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate scheduled OS upgrades during approved maintenance windows — correlate with change management system
  - "Automated software lifecycle management tools (Cisco DNA Center, SolarWinds NCM, Ansible Network) that perform planned image pushes"
  - Disaster recovery restores where a known-good image backup is being re-applied after hardware replacement
  - "Security teams running integrity verification commands (verify /md5 flash:) as part of routine audits — these generate matching syslog but are read-only"
  - Network device lab or staging environments with frequent image cycling for testing
level: critical