MITRE ATT&CK Technique
Description
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-20T00:05:48.790Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse the ROM Monitor (ROMMON) by loading an '
'unauthorized firmware with adversary code to provide '
'persistent access and manipulate device behavior that is '
'difficult to detect. (Citation: Cisco Synful Knock '
'Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n'
'\n'
'\n'
'ROMMON is a Cisco network device firmware that functions as a '
'boot loader, boot image, or boot helper to initialize '
'hardware and software when the platform is powered on or '
'reset. Similar to [TFTP '
'Boot](https://attack.mitre.org/techniques/T1542/005), an '
'adversary may upgrade the ROMMON image locally or remotely '
'(for example, through TFTP) with adversary code and restart '
'the device in order to overwrite the existing ROMMON image. '
'This provides adversaries with the means to update the ROMMON '
'to gain persistence on a system in a way that may be '
'difficult to detect.',
'external_references': [{'external_id': 'T1542.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1542/004'},
{'description': 'Graham Holmes. (2015, October 8). '
'Evolution of attacks on Cisco IOS '
'devices. Retrieved October 19, 2020.',
'source_name': 'Cisco Synful Knock Evolution',
'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices'},
{'description': 'Omar Santos. (2020, October 19). '
'Attackers Continue to Target Legacy '
'Devices. Retrieved October 20, 2020.',
'source_name': 'Cisco Blog Legacy Device Attacks',
'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'}],
'id': 'attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:11.524Z',
'name': 'ROMMONkit',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Network Devices'],
'x_mitre_version': '1.1'}