DET0175 Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit

Item	Value
ID	DET0175
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1542.004 (ROMMONkit)

Analytics

Network Devices

AN0497

Detection of anomalous ROMMON image changes or upgrades, unexpected reboots following firmware updates, and unauthorized use of firmware upgrade commands or TFTP transfers. Correlation of config modification, privilege escalation, and boot cycle anomalies provides visibility into ROMMON tampering attempts.

Log Sources

Data Component	Name	Channel
Firmware Modification (DC0004)	networkdevice:config	Log entries indicating ROMMON image upgrade commands (boot system, upgrade rom-monitor)
OS API Execution (DC0021)	networkdevice:syslog	Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance
Network Connection Creation (DC0082)	NSM:Flow	Outbound or inbound TFTP file transfers of ROMMON or firmware binaries

Mutable Elements

Field	Description
ApprovedROMMONVersions	Baseline ROMMON image versions authorized for the environment
TimeWindow	Correlation window between ROMMON update command, TFTP file transfer, and device reboot
AdminUserContext	Expected privileged accounts allowed to execute ROMMON upgrade commands