AN0099: Analytic 0099

Monitors CLI-based execution of `show process` or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes.

EnterpriseAN0099AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because router and switch command-line activity can expose early signs of misuse or investigation by an unauthorized operator. Monitoring use of `show process` or equivalent commands is less about the command alone and more about whether it occurs in an unusual access context, from an unexpected role, or near configuration-mode activity that could affect network reliability.

Executive priority

For leaders, the decision value is validating whether network device administration is observable and attributable. Network devices are often critical to business continuity, but their CLI logs are frequently less mature than endpoint or cloud telemetry. This analytic supports control questions around privileged access, change governance, SOC visibility, and incident response readiness for network infrastructure.

Technical view

SOC and detection teams should validate whether routers and switches generate and forward CLI command logs that include the executed command, authenticated user, role or privilege level, source of access, target device, timestamp, and configuration-mode transitions. Because the official description emphasizes correlation, the command should not be treated as automatically malicious; prioritize cases where `show process` or equivalent appears with unusual device access, unauthorized roles, or nearby configuration-mode changes.

Likely telemetry

Network device CLI command accounting logs
Authentication and authorization records for router/switch access
Administrator role or privilege-level data
Remote access source information for device management sessions
Configuration-mode entry and change logs

Detection direction

Confirm that command accounting is enabled and centrally collected for network devices in scope.
Tune logic to correlate `show process` or equivalent command execution with unusual access patterns, unauthorized roles, or configuration-mode changes.
Account for legitimate network operations and troubleshooting activity to reduce false positives.
Check for blind spots on devices that do not forward CLI logs, lack role context, or use inconsistent command syntax.
Use device criticality and administrative baselines to prioritize triage.

Mitigation priorities

Establish centralized logging for network device CLI activity before relying on this analytic.
Enforce role-based administrative access and review which roles can access diagnostic and configuration functions.
Maintain approved management access paths and investigate access from unexpected sources.
Integrate network device administration evidence into change-management and incident-response workflows.
Periodically audit logging coverage across routers and switches to identify unmanaged or under-instrumented devices.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Network Devices only. No tactics, technique relationships, aliases, or official detection logic were provided. The useful defensive interpretation is therefore centered on validating network-device command visibility and correlating CLI activity with access and configuration context.

This take is based only on the official STIX fields and the single external reference supplied. It does not establish adversary use, impact, attribution, or guaranteed detection. Local device models, logging configuration, AAA integration, and administrative baselines are required to determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0099

Monitors CLI-based execution of `show process` or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: ab5d5ca6f16d860e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`ab5d5ca6f16d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0099
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use