1. Home
  2. ATT&CK Techniques
  3. T1542
  4. T1542.005
Stealth Persistence

T1542.005: TFTP Boot

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network adminis...

T1542.005 · Sub-technique ·1 platforms

Description

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to ROMMONkit and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)

Platforms

Network Devices

Mitigations (6)

Network Intrusion PreventionM1031

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configuration

Operating System ConfigurationM1028

Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.

Privileged Account ManagementM1026

Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - AAA) (C

Limit Access to Resource Over NetworkM1035

Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources.

AuditM1047

Periodically check the integrity of the running configuration and system image to ensure they have not been modified. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification) (Citation: Cisco IOS Software Integrity Assurance - Image File Integrity) (Citation: Cisco IOS Software Integrity Assurance - Change Control)

Boot IntegrityM1046

Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot)

References

Frequently Asked Questions

What is T1542.005 (TFTP Boot)?

T1542.005 is a MITRE ATT&CK technique named 'TFTP Boot'. It belongs to the Stealth, Persistence tactic(s). Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network adminis...

How can T1542.005 be detected?

Detection of T1542.005 (TFTP Boot) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1542.005?

There are 6 documented mitigations for T1542.005. Key mitigations include: Network Intrusion Prevention, Operating System Configuration, Privileged Account Management, Limit Access to Resource Over Network, Audit.

Which threat groups use T1542.005?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.