MITRE ATT&CK Technique
Description
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-20T00:06:56.180Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse netbooting to load an unauthorized '
'network device operating system from a Trivial File Transfer '
'Protocol (TFTP) server. TFTP boot (netbooting) is commonly '
'used by network administrators to load '
'configuration-controlled network device images from a '
'centralized management server. Netbooting is one option in '
'the boot sequence and can be used to centralize, manage, and '
'control device images.\n'
'\n'
'Adversaries may manipulate the configuration on the network '
'device specifying use of a malicious TFTP server, which may '
'be used in conjunction with [Modify System '
'Image](https://attack.mitre.org/techniques/T1601) to load a '
'modified image on device startup or reset. The unauthorized '
'image allows adversaries to modify device configuration, add '
'malicious capabilities to the device, and introduce backdoors '
'to maintain control of the network device while minimizing '
'detection through use of a standard functionality. This '
'technique is similar to '
'[ROMMONkit](https://attack.mitre.org/techniques/T1542/004) '
'and may result in the network device running a modified '
'image. (Citation: Cisco Blog Legacy Device Attacks)',
'external_references': [{'external_id': 'T1542.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1542/005'},
{'description': 'Omar Santos. (2020, October 19). '
'Attackers Continue to Target Legacy '
'Devices. Retrieved October 20, 2020.',
'source_name': 'Cisco Blog Legacy Device Attacks',
'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'},
{'description': 'Cisco. (n.d.). Cisco IOS Software '
'Integrity Assurance - Secure Boot. '
'Retrieved October 19, 2020.',
'source_name': 'Cisco IOS Software Integrity '
'Assurance - Secure Boot',
'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#35'},
{'description': 'Cisco. (n.d.). Cisco IOS Software '
'Integrity Assurance - Cisco IOS '
'Image File Verification. Retrieved '
'October 19, 2020.',
'source_name': 'Cisco IOS Software Integrity '
'Assurance - Image File Verification',
'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#7'},
{'description': 'Cisco. (n.d.). Cisco IOS Software '
'Integrity Assurance - Cisco IOS '
'Run-Time Memory Integrity '
'Verification. Retrieved October 19, '
'2020.',
'source_name': 'Cisco IOS Software Integrity '
'Assurance - Run-Time Memory '
'Verification',
'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#13'},
{'description': 'Cisco. (n.d.). Cisco IOS Software '
'Integrity Assurance - Command '
'History. Retrieved October 21, 2020.',
'source_name': 'Cisco IOS Software Integrity '
'Assurance - Command History',
'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23'},
{'description': 'Cisco. (n.d.). Cisco IOS Software '
'Integrity Assurance - Boot '
'Information. Retrieved October 21, '
'2020.',
'source_name': 'Cisco IOS Software Integrity '
'Assurance - Boot Information',
'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#26'}],
'id': 'attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:33.317Z',
'name': 'TFTP Boot',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Network Devices'],
'x_mitre_version': '1.1'}