1. Home
  2. ATT&CK Techniques
  3. T1542.005 TFTP Boot

T1542.005 TFTP Boot

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to ROMMONkit and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1542.005 TFTP Boot
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.IR-01.06 Production environment segregation Mitigates T1542.005 TFTP Boot
    Comments
    This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
    References
      PR.PS-01.01 Configuration baselines Mitigates T1542.005 TFTP Boot
      Comments
      This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
      References
        PR.PS-01.02 Least functionality Mitigates T1542.005 TFTP Boot
        Comments
        This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
        References
          PR.AA-05.02 Privileged system access Mitigates T1542.005 TFTP Boot
          Comments
          This diagnostic statement protects against TFTP Boot through the use of privileged account management and the use of multi-factor authentication.
          References
            DE.CM-09.01 Software and data integrity checking Mitigates T1542.005 TFTP Boot
            Comments
            This diagnostic statement protects against TFTP Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
            References
              PR.PS-01.03 Configuration deviation Mitigates T1542.005 TFTP Boot
              Comments
              This diagnostic statement provides protection from TFTP Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
              References
                PR.IR-01.02 Network device configurations Mitigates T1542.005 TFTP Boot
                Comments
                This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions on untrusted network sources can mitigate adversary abuse of TFTP boot (netbooting).
                References
                  PR.IR-01.03 Network communications integrity and availability Mitigates T1542.005 TFTP Boot
                  Comments
                  This diagnostic statement protects against TFTP Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                  References
                    PR.IR-01.05 Remote access protection Mitigates T1542.005 TFTP Boot
                    Comments
                    This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
                    References
                      PR.PS-01.08 End-user device protection Mitigates T1542.005 TFTP Boot
                      Comments
                      This diagnostic statement protects against TFTP Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                      References

                        NIST 800-53 Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        CA-07 Continuous Monitoring mitigates T1542.005 TFTP Boot
                        CM-06 Configuration Settings mitigates T1542.005 TFTP Boot
                        CM-05 Access Restrictions for Change mitigates T1542.005 TFTP Boot
                        IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1542.005 TFTP Boot
                        SA-10 Developer Configuration Management mitigates T1542.005 TFTP Boot
                        IA-07 Cryptographic Module Authentication mitigates T1542.005 TFTP Boot
                        RA-09 Criticality Analysis mitigates T1542.005 TFTP Boot
                        SC-34 Non-modifiable Executable Programs mitigates T1542.005 TFTP Boot
                        SI-02 Flaw Remediation mitigates T1542.005 TFTP Boot
                        RA-05 Vulnerability Monitoring and Scanning mitigates T1542.005 TFTP Boot
                        CM-08 System Component Inventory mitigates T1542.005 TFTP Boot
                        SI-07 Software, Firmware, and Information Integrity mitigates T1542.005 TFTP Boot
                        CM-02 Baseline Configuration mitigates T1542.005 TFTP Boot
                        CM-02 Baseline Configuration mitigates T1542.005 TFTP Boot
                        SA-11 Developer Testing and Evaluation mitigates T1542.005 TFTP Boot
                        IA-02 Identification and Authentication (Organizational Users) mitigates T1542.005 TFTP Boot
                        CM-07 Least Functionality mitigates T1542.005 TFTP Boot
                        SI-04 System Monitoring mitigates T1542.005 TFTP Boot
                        AC-02 Account Management mitigates T1542.005 TFTP Boot
                        AC-03 Access Enforcement mitigates T1542.005 TFTP Boot
                        AC-05 Separation of Duties mitigates T1542.005 TFTP Boot
                        AC-06 Least Privilege mitigates T1542.005 TFTP Boot
                        SC-07 Boundary Protection mitigates T1542.005 TFTP Boot
                        CM-03 Configuration Change Control mitigates T1542.005 TFTP Boot

                        VERIS Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 TFTP Boot

                        Azure Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        azure_network_security_groups Azure Network Security Groups technique_scores T1542.005 TFTP Boot
                        Comments
                        This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
                        References
                        1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
                        azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1542.005 TFTP Boot
                        Comments
                        This control can be used to identify anomalous TFTP boot traffic.
                        References
                        1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas

                        AWS Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1542.005 TFTP Boot
                        Comments
                        VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
                        References
                          aws_network_firewall AWS Network Firewall technique_scores T1542.005 TFTP Boot
                          Comments
                          AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.
                          References