T1542.004 ROMMONkit

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)

ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1542.004 ROMMONkit
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    DE.CM-09.01 Software and data integrity checking Mitigates T1542.004 ROMMONkit
    Comments
    This diagnostic statement protects against ROMMONkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1542.004 ROMMONkit
      Comments
      This diagnostic statement provides protection from ROMMONkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
      References
        PR.IR-01.03 Network communications integrity and availability Mitigates T1542.004 ROMMONkit
        Comments
        This diagnostic statement protects against ROMMONkit through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CA-07 Continuous Monitoring mitigates T1542.004 ROMMONkit
          CM-06 Configuration Settings mitigates T1542.004 ROMMONkit
          CM-05 Access Restrictions for Change mitigates T1542.004 ROMMONkit
          SA-10 Developer Configuration Management mitigates T1542.004 ROMMONkit
          IA-07 Cryptographic Module Authentication mitigates T1542.004 ROMMONkit
          RA-09 Criticality Analysis mitigates T1542.004 ROMMONkit
          SC-34 Non-modifiable Executable Programs mitigates T1542.004 ROMMONkit
          SI-02 Flaw Remediation mitigates T1542.004 ROMMONkit
          RA-05 Vulnerability Monitoring and Scanning mitigates T1542.004 ROMMONkit
          CM-08 System Component Inventory mitigates T1542.004 ROMMONkit
          SI-07 Software, Firmware, and Information Integrity mitigates T1542.004 ROMMONkit
          CM-02 Baseline Configuration mitigates T1542.004 ROMMONkit
          CM-02 Baseline Configuration mitigates T1542.004 ROMMONkit
          SA-11 Developer Testing and Evaluation mitigates T1542.004 ROMMONkit
          CM-07 Least Functionality mitigates T1542.004 ROMMONkit
          SI-04 System Monitoring mitigates T1542.004 ROMMONkit
          AC-03 Access Enforcement mitigates T1542.004 ROMMONkit
          AC-06 Least Privilege mitigates T1542.004 ROMMONkit
          SC-07 Boundary Protection mitigates T1542.004 ROMMONkit
          CM-03 Configuration Change Control mitigates T1542.004 ROMMONkit

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.004 ROMMONkit