T1542.005 TFTP Boot Mappings

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to ROMMONkit and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1542.005 TFTP Boot
AC-3 Access Enforcement Protects T1542.005 TFTP Boot
AC-5 Separation of Duties Protects T1542.005 TFTP Boot
AC-6 Least Privilege Protects T1542.005 TFTP Boot
CA-7 Continuous Monitoring Protects T1542.005 TFTP Boot
CA-8 Penetration Testing Protects T1542.005 TFTP Boot
CM-2 Baseline Configuration Protects T1542.005 TFTP Boot
CM-3 Configuration Change Control Protects T1542.005 TFTP Boot
CM-5 Access Restrictions for Change Protects T1542.005 TFTP Boot
CM-6 Configuration Settings Protects T1542.005 TFTP Boot
CM-7 Least Functionality Protects T1542.005 TFTP Boot
CM-8 System Component Inventory Protects T1542.005 TFTP Boot
IA-2 Identification and Authentication (organizational Users) Protects T1542.005 TFTP Boot
IA-7 Cryptographic Module Authentication Protects T1542.005 TFTP Boot
IA-8 Identification and Authentication (non-organizational Users) Protects T1542.005 TFTP Boot
RA-5 Vulnerability Monitoring and Scanning Protects T1542.005 TFTP Boot
RA-9 Criticality Analysis Protects T1542.005 TFTP Boot
SA-10 Developer Configuration Management Protects T1542.005 TFTP Boot
SA-11 Developer Testing and Evaluation Protects T1542.005 TFTP Boot
SC-34 Non-modifiable Executable Programs Protects T1542.005 TFTP Boot
SC-7 Boundary Protection Protects T1542.005 TFTP Boot
SI-2 Flaw Remediation Protects T1542.005 TFTP Boot
SI-4 System Monitoring Protects T1542.005 TFTP Boot
SI-7 Software, Firmware, and Information Integrity Protects T1542.005 TFTP Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 Pre-OS Boot: TFTP Boot
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1542.005 TFTP Boot
aws_network_firewall AWS Network Firewall technique_scores T1542.005 TFTP Boot