Detection of anomalous ROMMON image changes or upgrades, unexpected reboots following firmware updates, and unauthorized use of firmware upgrade commands or TFTP transfers. Correlation of config modification, privilege escalation, and boot cycle anomalies provides visibility into ROMMON tampering attempts.
| Data Component | Name | Channel |
|---|---|---|
| Firmware Modification (DC0004) | networkdevice:config | Log entries indicating ROMMON image upgrade commands (boot system, upgrade rom-monitor) |
| OS API Execution (DC0021) | networkdevice:syslog | Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance |
| Network Connection Creation (DC0082) | NSM:Flow | Outbound or inbound TFTP file transfers of ROMMON or firmware binaries |
| Field | Description |
|---|---|
| ApprovedROMMONVersions | Baseline ROMMON image versions authorized for the environment |
| TimeWindow | Correlation window between ROMMON update command, TFTP file transfer, and device reboot |
| AdminUserContext | Expected privileged accounts allowed to execute ROMMON upgrade commands |