Pre-OS Boot: ROMMONkit

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. [1][2]

ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.

ID: T1542.004
Sub-technique of:  T1542
Tactics: Defense Evasion, Persistence
Platforms: Network
Permissions Required: Administrator
Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture
Version: 1.0
Created: 20 October 2020
Last Modified: 22 October 2020

Mitigations

Mitigation Description
Audit

Periodically check the integrity of system image to ensure it has not been modified. [3] [4] [5]

Boot Integrity

Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. [6]

Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations.

Detection

There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.

References