AN0257: Analytic 0257
Adversary executes CLI commands like `show users`, `show ssh`, or attempts to dump AAA user lists from routers or switches.
Analyst context for executives and security teams
This analytic is about visibility into suspicious command-line activity on network devices, specifically commands that enumerate logged-in users, SSH sessions, or AAA user information on routers and switches. For leaders, the practical issue is not the command names alone; it is whether the organization can prove who accessed critical network infrastructure, what they queried, and whether that access suggests credential discovery, session awareness, or preparation for follow-on activity.
Executive priority
Network devices are control points for business connectivity and, in some environments, operational continuity. Security leaders should treat this as a coverage validation item: do we collect administrative command history from routers and switches, can we associate activity to named accounts, and can SOC or IR teams rapidly review user and AAA enumeration during an incident? This also supports audit and compliance evidence around privileged access monitoring for network infrastructure.
Technical view
ATT&CK provides a detection analytic for Network Devices where an adversary executes CLI commands such as `show users`, `show ssh`, or attempts to dump AAA user lists from routers or switches. No official detection logic, tactics, or relationship context are supplied, so teams should implement this as a local validation use case rather than a complete rule. SOC and detection engineering should confirm whether network device command accounting, AAA logs, SSH/session logs, and administrative login records capture these commands with timestamp, account, source address, device, and privilege context.
Likely telemetry
- Network device command accounting logs
- AAA authentication, authorization, and accounting records
- Administrative login and session logs for routers and switches
- SSH access logs or session records on network devices
- Configuration or audit logs showing user/AAA enumeration commands where available
Detection direction
- Validate that command-level logging is enabled for administrative access to routers and switches; without it, this analytic may not be observable.
- Alert or review when user/session/AAA enumeration commands occur outside approved administration windows, from unusual source addresses, or by accounts that do not normally perform network administration.
- Tune for legitimate network operations activity, because commands such as `show users` and `show ssh` can be normal troubleshooting behavior.
- Correlate command execution with recent authentication events, privilege changes, failed logins, new device access paths, or incident timelines.
- Because ATT&CK supplies no detection pseudocode or relationships, avoid treating this as a standalone high-confidence detection without local baselining and corroborating telemetry.
Mitigation priorities
- Ensure network device administrative access is tied to named accounts through AAA rather than shared credentials where feasible.
- Enable and retain command accounting and administrative session logging for routers and switches.
- Restrict network device management access to approved management networks and authorized administrator roles.
- Review privileged access policies for network infrastructure and confirm evidence is available for audits and incident response.
- Establish response procedures for suspicious network device enumeration, including account review, session termination decisions, and configuration integrity checks.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify the platform as Network Devices and describe CLI enumeration of users, SSH sessions, or AAA user lists. No tactics, official detection text, or relationship context were supplied, so the value is primarily in prompting telemetry and control validation for network infrastructure administration.
The source does not provide detection logic, data source mappings, related techniques, adversary examples, or mitigations. Any severity, alert thresholds, or assumptions about maliciousness must be derived from the local network environment, administrator behavior, logging capability, and incident context.
Analytic 0257
Adversary executes CLI commands like `show users`, `show ssh`, or attempts to dump AAA user lists from routers or switches.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6ab3549f556e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0257Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.