Esc

TFTP Boot - T1542.005

(ATT&CK® Technique)

Definition

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1542005["TFTP Boot"] --> |creates| TFTPNetworkTraffic["TFTP Network Traffic"]; class T1542005 OffensiveTechniqueNode;
        class TFTPNetworkTraffic ArtifactNode; click TFTPNetworkTraffic href "/dao/artifact/d3f:TFTPNetworkTraffic";
        click T1542005 href "/offensive-technique/attack/T1542.005/"; click TFTPNetworkTraffic href "/dao/artifact/d3f:TFTPNetworkTraffic";             ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | TFTPNetworkTraffic["TFTP Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1542005["TFTP Boot"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                                                     NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1542005["TFTP Boot"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class TFTPNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";

json