T1542.005 TFTP Boot Mappings

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to ROMMONkit and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1542.005 TFTP Boot
AC-3 Access Enforcement Protects T1542.005 TFTP Boot
AC-5 Separation of Duties Protects T1542.005 TFTP Boot
AC-6 Least Privilege Protects T1542.005 TFTP Boot
CA-7 Continuous Monitoring Protects T1542.005 TFTP Boot
CA-8 Penetration Testing Protects T1542.005 TFTP Boot
CM-2 Baseline Configuration Protects T1542.005 TFTP Boot
CM-3 Configuration Change Control Protects T1542.005 TFTP Boot
CM-5 Access Restrictions for Change Protects T1542.005 TFTP Boot
CM-6 Configuration Settings Protects T1542.005 TFTP Boot
CM-7 Least Functionality Protects T1542.005 TFTP Boot
CM-8 System Component Inventory Protects T1542.005 TFTP Boot
IA-2 Identification and Authentication (organizational Users) Protects T1542.005 TFTP Boot
IA-7 Cryptographic Module Authentication Protects T1542.005 TFTP Boot
IA-8 Identification and Authentication (non-organizational Users) Protects T1542.005 TFTP Boot
RA-5 Vulnerability Monitoring and Scanning Protects T1542.005 TFTP Boot
RA-9 Criticality Analysis Protects T1542.005 TFTP Boot
SA-10 Developer Configuration Management Protects T1542.005 TFTP Boot
SA-11 Developer Testing and Evaluation Protects T1542.005 TFTP Boot
SC-34 Non-modifiable Executable Programs Protects T1542.005 TFTP Boot
SC-7 Boundary Protection Protects T1542.005 TFTP Boot
SI-2 Flaw Remediation Protects T1542.005 TFTP Boot
SI-4 System Monitoring Protects T1542.005 TFTP Boot
SI-7 Software, Firmware, and Information Integrity Protects T1542.005 TFTP Boot

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 Pre-OS Boot: TFTP Boot

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1542.005 TFTP Boot
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
References
    aws_network_firewall AWS Network Firewall technique_scores T1542.005 TFTP Boot
    Comments
    AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.
    References