title: Downgrade System Image (T1601.002)
id: df00tech-t1601-002
status: experimental
description: "Adversaries may install an older version of the operating system of a network device to weaken its security posture. Older OS versions on network devices (Cisco IOS, Juniper JunOS, Palo Alto PAN-OS, Fortinet FortiOS) frequently have weaker encryption ciphers, unpatched vulnerabilities, and absent defensive features. On embedded devices, a downgrade typically requires replacing the OS image in flash storage and reconfiguring the boot system directive to point to the older file. The adversary downloads the target older image via TFTP, FTP, or SCP, overwrites or places it alongside the current image, and issues a 'boot system' change — either triggering an immediate reload or waiting for the next scheduled maintenance window. Downgrading enables follow-on techniques such as Weaken Encryption (T1600) and may be combined with Patch System Image (T1601.001) to install a backdoored older version. The SYNful Knock implant and Cisco IOS router compromise campaigns demonstrate this technique in real-world operations."
references:
  - https://attack.mitre.org/techniques/T1601/002/
  - https://df00tech.com/detections/T1601.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1601.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate planned OS upgrades — network engineers copying new images to flash during maintenance windows. Image transfers to flash are routine during sanctioned upgrade cycles.
  - "Automated configuration management systems (Cisco DNA Center, SolarWinds NCM, Ansible Network) that periodically push images or update boot configurations as part of lifecycle management."
  - Disaster recovery or rollback operations where a previous known-good image is intentionally restored after a failed upgrade — this is a legitimate downgrade but authorized.
  - Boot system commands added during image pre-staging where the new image is placed alongside the old one before a maintenance window cutover.
  - Lab and test environment devices where engineers frequently swap between image versions for testing purposes.
level: high