T1542.004 ROMMONkit Mappings

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)

ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1542.004 ROMMONkit
AC-6 Least Privilege Protects T1542.004 ROMMONkit
CA-7 Continuous Monitoring Protects T1542.004 ROMMONkit
CA-8 Penetration Testing Protects T1542.004 ROMMONkit
CM-2 Baseline Configuration Protects T1542.004 ROMMONkit
CM-3 Configuration Change Control Protects T1542.004 ROMMONkit
CM-5 Access Restrictions for Change Protects T1542.004 ROMMONkit
CM-6 Configuration Settings Protects T1542.004 ROMMONkit
CM-7 Least Functionality Protects T1542.004 ROMMONkit
CM-8 System Component Inventory Protects T1542.004 ROMMONkit
IA-7 Cryptographic Module Authentication Protects T1542.004 ROMMONkit
RA-5 Vulnerability Monitoring and Scanning Protects T1542.004 ROMMONkit
RA-9 Criticality Analysis Protects T1542.004 ROMMONkit
SA-10 Developer Configuration Management Protects T1542.004 ROMMONkit
SA-11 Developer Testing and Evaluation Protects T1542.004 ROMMONkit
SC-34 Non-modifiable Executable Programs Protects T1542.004 ROMMONkit
SC-7 Boundary Protection Protects T1542.004 ROMMONkit
SI-2 Flaw Remediation Protects T1542.004 ROMMONkit
SI-4 System Monitoring Protects T1542.004 ROMMONkit
SI-7 Software, Firmware, and Information Integrity Protects T1542.004 ROMMONkit
CVE-2020-3416 Cisco IOS XE Software primary_impact T1542.004 ROMMONkit
CVE-2020-3513 Cisco IOS XE Software primary_impact T1542.004 ROMMONkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.004 Pre-OS Boot: ROMMONkit