AN0296: Analytic 0296
Offline cracking inferred by subsequent successful CLI or web-based authentications into routers or switches from previously dumped accounts
Analyst context for executives and security teams
This analytic is about recognizing a dangerous credential-risk pattern on network devices: accounts that were previously dumped later succeed in logging in to routers or switches through CLI or web interfaces. For leaders, the practical issue is not the cracking activity itself being directly observed, but the business risk that exposed device credentials may have been cracked offline and then used to access infrastructure that supports connectivity and operations.
Executive priority
Prioritize this as a network infrastructure identity and resilience concern. Routers and switches often sit outside mature identity monitoring compared with servers and cloud platforms, so successful logons using previously exposed accounts can become a blind spot for incident scoping, audit evidence, and business continuity planning. Executives should ask whether network-device authentication logs are collected, whether previously dumped or exposed accounts are tracked, and whether incident response can quickly determine if device access followed credential exposure.
Technical view
SOC and IR teams should validate whether they can correlate two evidence sets: records of previously dumped or exposed accounts, and subsequent successful CLI or web-based authentications to routers or switches. Because the official detection text is not provided and no ATT&CK relationships are supplied, implementation should focus on local correlation logic, asset context for network devices, authentication success events, account identity normalization, and timing between credential exposure and device login. Tuning should account for legitimate administrator access while escalating cases where the same account appears in prior credential-dump evidence and later authenticates to network infrastructure.
Likely telemetry
- Router and switch authentication logs
- CLI login success events for network devices
- Web management interface login success events for network devices
- Account identifiers associated with previously dumped or exposed credentials
- Network device asset inventory and management interface records
Detection direction
- Confirm that routers and switches forward successful authentication events to central monitoring.
- Correlate successful CLI or web logins against accounts known from prior credential-dump evidence.
- Normalize administrator account names across network devices so reused or local accounts are not missed.
- Tune for expected network administration activity, but review successful access after credential exposure as higher priority.
- Check blind spots around devices not sending logs, local-only accounts, unmanaged web interfaces, and short log retention windows.
Mitigation priorities
- Improve collection and retention of network-device authentication logs before relying on this analytic.
- Maintain an incident-accessible list of accounts identified in credential dumping or exposure events.
- Rotate or disable exposed network-device credentials and validate that local accounts are included.
- Restrict and monitor management access paths for router and switch CLI and web interfaces.
- Use the analytic as incident-response triage to determine whether exposed credentials were later used on network infrastructure.
Analyst notes and limits
This object is a detection analytic for Network Devices. Its official description supports an inference model: offline cracking is suspected when previously dumped accounts later authenticate successfully to routers or switches. No tactic, technique relationship, or official detection logic is supplied, so the value comes from correlation readiness rather than a specific rule implementation.
The supplied ATT&CK fields do not provide detection pseudocode, data source mappings, tactics, related techniques, adversary context, or mitigation references. Local evidence is required to define what counts as a previously dumped account, which devices are in scope, and what normal administrator authentication looks like.
Analytic 0296
Offline cracking inferred by subsequent successful CLI or web-based authentications into routers or switches from previously dumped accounts
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c72322169aea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0296Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.