Applied Cybernetics Group
T1542.005 — TFTP Boot
coverage gap
- Technique
T1542.005- Tactics
- Stealth, Persistence
- MISP citations
- 0
- KEV CVEs mapped
- 1
- Community rules
- 0
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1542/005
MITRE description
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
No detection coverage exists for this technique — no SigmaHQ community rule carries its tag and thrunt has not authored one yet. Techniques on this list are exactly where hand-authoring effort goes next; see the rollup for the full queue.