DET0582 Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot

Item	Value
ID	DET0582
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1542.005 (TFTP Boot)

Analytics

Network Devices

AN1603

Detection of unauthorized changes to boot configurations pointing to TFTP servers, unusual firmware loads during netbooting, or suspicious TFTP traffic. Correlation of boot config modifications, command history logs, and unexpected system image hashes provides detection coverage for adversaries attempting to persist via malicious TFTP boot images.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	networkdevice:config	Configuration changes referencing ‘boot system tftp’ or modification of startup-config pointing to external TFTP servers
Firmware Modification (DC0004)	networkdevice:syslog	Boot information log showing image loaded from TFTP server instead of local storage
Network Connection Creation (DC0082)	NSM:Flow	Unexpected inbound/outbound TFTP traffic for device image files

Mutable Elements

Field	Description
ApprovedTFTPServers	Whitelist of TFTP servers authorized for netbooting in the environment
TimeWindow	Detection correlation window between config change, TFTP activity, and system reboot
BaselineBootImageHash	Expected system image hashes to validate integrity of boot images loaded via TFTP