T1542.004 ROMMONkit
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. 12
ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
| Item | Value |
|---|---|
| ID | T1542.004 |
| Sub-techniques | T1542.001, T1542.002, T1542.003, T1542.004, T1542.005 |
| Tactics | TA0005, TA0003 |
| Platforms | Network |
| Permissions required | Administrator |
| Version | 1.0 |
| Created | 20 October 2020 |
| Last Modified | 22 October 2020 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Periodically check the integrity of system image to ensure it has not been modified. 4 5 6 |
| M1046 | Boot Integrity | Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. 3 |
| M1031 | Network Intrusion Prevention | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0001 | Firmware | Firmware Modification |
References
-
Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. ↩
-
Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. ↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020. ↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020. ↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. ↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020. ↩