T1542.004: ROMMONkit
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. [1][2]
ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
Analyst context for executives and security teams
ROMMONkit matters because it targets the boot-level firmware of Cisco network devices, below normal operating visibility. If an attacker can place unauthorized code in ROMMON and cause the device to restart, persistence may survive normal configuration review and can affect how critical routing or network infrastructure behaves. For leaders, this is less about routine endpoint malware and more about whether network device lifecycle, firmware integrity, and audit practices are strong enough to support operational resilience.
Executive priority
Prioritize this where Cisco network devices support critical connectivity, regulated environments, or cyber-physical operations. Key leadership questions: do we know which network devices are legacy or hard to validate, do we control and audit firmware/boot changes, and can incident responders prove device boot integrity after a suspected compromise? Budget and compliance evidence should emphasize firmware governance, network-boundary monitoring, and repeatable audit of device images and change history.
Technical view
This is a Network Devices sub-technique under Pre-OS Boot with stealth and persistence tactics. SOC and IR teams should validate whether they can observe unauthorized ROMMON or boot image changes, suspicious firmware update activity, device restarts associated with image changes, and remote transfer paths such as TFTP where present. Because ATT&CK provides no official detection text, detection engineering should lean on the related DET0175 strategy, local device logging, configuration/image baselines, network transfer telemetry, and audit evidence rather than assuming standard OS or EDR controls apply.
Likely telemetry
- Network device system and boot logs
- Firmware, ROMMON, and boot image version/integrity records
- Configuration change and administrative command audit logs
- Device restart/reload events
- Network transfer telemetry involving firmware/image movement, including TFTP where used
Detection direction
- Validate DET0175-aligned coverage for ROMMONkit rather than relying on generic endpoint detections.
- Baseline approved ROMMON, boot image, and firmware versions for network devices and alert on unauthorized drift.
- Correlate image or firmware change events with administrative identity, change tickets, transfer activity, and device reloads.
- Tune for legitimate maintenance windows and approved firmware upgrades to reduce false positives.
- Assess blind spots around legacy devices, weak device logging, missing network-transfer visibility, and lack of historical firmware baselines.
Mitigation priorities
- Apply Boot Integrity controls where supported to verify the integrity of the boot process and associated firmware components.
- Implement regular auditing of network device activity, configurations, firmware versions, and boot-related changes.
- Use network intrusion prevention or detection signatures at network boundaries to help block or identify suspicious traffic related to unauthorized image movement.
- Strengthen change control for network device firmware and ROMMON updates, including approval, verification, and post-change validation.
- Prioritize review of legacy network devices because the supplied references emphasize continued targeting of legacy devices.
Analyst notes and limits
The supplied ATT&CK object is specific to Cisco ROMMON on network devices and is associated with stealth and persistence. It is a sub-technique of Pre-OS Boot, so the defensive value is in validating the device boot chain and firmware state. The external references are Cisco publications, and the relationship context provides one detection strategy and three mitigations: Network Intrusion Prevention, Boot Integrity, and Audit.
MITRE does not provide official detection text for this object in the supplied fields. The record does not establish active exploitation, specific affected product versions, or guaranteed detection logic. Local device models, firmware capabilities, logging configuration, administrative practices, and network architecture are required to determine actual exposure and coverage.
ROMMONkit
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. [1][2]
ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1542 | Pre-OS Boot | This object subtechnique of Pre-OS Boot. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 41cc3afd43dc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco Synful Knock Evolution
Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
Open source URL -
[2]
Cisco Blog Legacy Device Attacks
Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
Open source URL -
[3]
mitre-attack T1542.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.