DET0582: Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot
DET0582 is a detection strategy object for ATT&CK technique T1542.005, TFTP Boot, where unauthorized netbooting may be used to load a network device operat...
Analyst context for executives and security teams
DET0582 is a detection strategy object for ATT&CK technique T1542.005, TFTP Boot, where unauthorized netbooting may be used to load a network device operating system from a TFTP server. For leaders, the practical concern is resilience of network infrastructure: if boot paths and device image sources are not governed and observable, recovery, change control, and trust in network devices can become harder during an incident.
Executive priority
Prioritize this as a network device integrity and operational resilience issue. Executives should ask whether the organization can prove which network devices are allowed to netboot, which TFTP servers are authorized, and whether configuration changes affecting boot behavior are monitored and reviewable. This is also relevant to audit evidence around change management and incident readiness, because the supplied ATT&CK relationship links the behavior to persistence and stealth.
Technical view
The ATT&CK object has no official detection text and does not specify platforms directly, but its detected technique is TFTP Boot on Network Devices with stealth and persistence context. SOC, network, and IR teams should validate visibility into network device boot configuration, TFTP server usage, and configuration changes that alter boot sequence or image source. Because TFTP booting can be legitimate administrative activity, detection should distinguish authorized centralized image management from unexpected TFTP servers, unexpected devices requesting images, or boot-related configuration changes outside approved maintenance workflows.
Likely telemetry
- Network device configuration snapshots and change logs
- Network device boot sequence and image source settings
- TFTP server logs and file transfer records
- Network flow or packet metadata involving TFTP traffic
- AAA, administrator login, and change approval records for network devices
Detection direction
- Baseline authorized network devices, TFTP servers, boot images, and maintenance windows before alerting on deviations.
- Correlate TFTP activity with device configuration changes and administrative authentication events to reduce false positives from legitimate netboot operations.
- Alert on network devices configured to boot from unexpected TFTP sources or on TFTP requests from devices not approved for netbooting.
- Review for blind spots where network device configs, TFTP logs, or management-plane activity are not centrally collected.
- Use relationship context to treat suspicious boot-source changes as potentially relevant to persistence and stealth, while avoiding assumptions of compromise without corroborating evidence.
Mitigation priorities
- Establish and document approved netboot use cases, authorized TFTP servers, and approved network device images.
- Restrict who can modify network device boot configuration and retain auditable change records.
- Limit TFTP service exposure to required management networks and approved devices where operationally feasible.
- Continuously compare device boot settings against approved baselines.
- Include network device boot integrity and image-source validation in incident response and recovery procedures.
Analyst notes and limits
This take is based on the supplied detection strategy metadata and its relationship to T1542.005 TFTP Boot. The detection strategy itself does not include an official description or official detection logic, so the recommended direction focuses on defensible validation questions and evidence classes implied by the related ATT&CK technique.
Platforms and tactics are not specified on the detection strategy object itself; Network Devices, stealth, and persistence come from the related T1542.005 technique relationship. No active exploitation, attribution, vendor-specific tooling, or guaranteed detection coverage is asserted.
Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 494a14b620fc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0582Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.