Detection of unauthorized changes to boot configurations pointing to TFTP servers, unusual firmware loads during netbooting, or suspicious TFTP traffic. Correlation of boot config modifications, command history logs, and unexpected system image hashes provides detection coverage for adversaries attempting to persist via malicious TFTP boot images.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:config | Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers |
| Firmware Modification (DC0004) | networkdevice:syslog | Boot information log showing image loaded from TFTP server instead of local storage |
| Network Connection Creation (DC0082) | NSM:Flow | Unexpected inbound/outbound TFTP traffic for device image files |
| Field | Description |
|---|---|
| ApprovedTFTPServers | Whitelist of TFTP servers authorized for netbooting in the environment |
| TimeWindow | Detection correlation window between config change, TFTP activity, and system reboot |
| BaselineBootImageHash | Expected system image hashes to validate integrity of boot images loaded via TFTP |