AN0315: Analytic 0315

This analytic matters because unauthorized or unapproved changes to network device startup configuration can persist across reboots and may alter how the device executes boot-time or scheduled routines. For leaders, the practical question is whether critical network devices have controlled, auditable configuration change monitoring—not just alerting on traffic.

Executive priority

Prioritize this where network devices support business-critical connectivity, segmentation, remote access, or operational environments. The decision value is auditability and resilience: can the organization prove who changed startup configuration, when it changed, whether the change was approved, and how quickly it can be reviewed or rolled back?

Technical view

For SOC, detection engineering, and IR teams, validate monitoring of Network Devices for changes to startup-config files that introduce or modify boot scripts or scheduled execution routines. Because no official detection logic is provided, teams should build environment-specific baselines, compare configuration diffs, and correlate changes with approved maintenance activity and authenticated administrator actions.

Likely telemetry

Network device startup-config and configuration backup archives
Configuration diff or compliance monitoring output
Network device syslog or management-plane event logs
Administrator authentication and accounting records for device changes
Change-management tickets or approved maintenance windows

Detection direction

Alert on startup-config changes that add, remove, or modify boot-time scripts or scheduled execution routines.
Correlate configuration changes with administrator identity, source management location, and approved change windows.
Tune for legitimate automation, firmware maintenance, and scheduled network operations to reduce false positives.
Validate coverage gaps for devices not enrolled in centralized logging, configuration backup, or compliance monitoring.
Check for discrepancies between running configuration and startup configuration where local operating procedures require both to be tracked.

Mitigation priorities

Maintain an authoritative inventory of network devices and ensure startup configurations are centrally backed up.
Restrict and audit administrative access to network device management interfaces.
Require change approval and review for startup-config modifications, especially boot or scheduled execution statements.
Use configuration compliance checks or file/config integrity monitoring where supported by the device environment.
Prepare IR procedures to preserve current and prior configurations and restore known-good configurations when needed.

Analyst notes and limits

This is a detection analytic object, AN0315, for Network Devices. It is focused specifically on detecting changes to startup-config files that include boot scripts or scheduled execution routines. No ATT&CK tactic, technique relationship, analytic query, data component, or procedure relationship was supplied, so implementation must be driven by local device types and configuration standards.

The supplied ATT&CK fields do not include official detection logic, relationships, known threat usage, or vendor/device-specific syntax. This take therefore cannot assert coverage, exploitation, attribution, or impact. Local telemetry availability and configuration formats determine practical detectability.

Official MITRE ATT&CK definition

Analytic 0315

Detection of changes to device startup-config files that include boot scripts or scheduled execution routines.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 95096288064f5e1e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`95096288064f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0315
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams