AN0354: Analytic 0354
Use of command-line like `ip ssh pubkey-chain` to bind SSH keys to privileged accounts on routers or switches.
Analyst context for executives and security teams
This analytic matters because SSH key binding on routers or switches can affect who has privileged access to core network infrastructure. For leaders, the practical question is whether changes to privileged network-device authentication are logged, reviewed, and tied to approved administration, because unmanaged SSH key additions can undermine change control and incident containment.
Executive priority
Prioritize validation around privileged access governance for network devices. This behavior is relevant to business continuity because routers and switches support critical connectivity, and unauthorized or poorly governed privileged access can complicate outage response, incident investigation, and audit evidence. Security leaders should ask whether network-device configuration changes involving SSH keys are centrally logged, retained, reviewed, and mapped to accountable administrators or approved change tickets.
Technical view
ATT&CK describes this analytic as use of command-line-like `ip ssh pubkey-chain` to bind SSH keys to privileged accounts on routers or switches. SOC, detection engineering, and IR teams should validate whether network-device command accounting, configuration-change logs, and configuration backups capture SSH public-key chain changes and the associated user, source, timestamp, target device, and privilege context. Because no official detection logic or tactic mapping is supplied, teams should treat this as a coverage-validation item rather than a finished detection rule.
Likely telemetry
- Network device command accounting or administrative session logs
- Configuration change logs from routers and switches
- Centralized syslog or network management platform records
- AAA/TACACS+/RADIUS accounting records where deployed
- Configuration backup or compliance-drift snapshots showing SSH key bindings
Detection direction
- Confirm that command accounting captures commands related to SSH public-key binding on network devices, including privileged configuration context.
- Correlate observed SSH key binding changes with approved change tickets, authorized administrator identities, and expected maintenance windows.
- Tune for legitimate network engineering activity to reduce false positives, but require review when changes affect privileged accounts or occur outside approved workflows.
- Check for blind spots where device logs are local-only, overwritten quickly, not forwarded to the SIEM, or lack the initiating administrator identity.
- Use configuration-drift monitoring to identify persistent key additions even when real-time command telemetry is incomplete.
Mitigation priorities
- Enforce centralized AAA and named administrator accounts for network-device management where supported.
- Require change approval and review for privileged account and SSH key configuration changes on routers and switches.
- Forward and retain network-device administrative logs in a centralized platform suitable for investigation and audit evidence.
- Periodically review privileged network-device accounts and authorized SSH keys against expected owners.
- Maintain configuration backups and compare them for unauthorized authentication or privilege-related changes.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Network Devices and only provides a short description. No official detection text, tactics, labels, aliases, or relationship context were supplied. The take therefore focuses on defensive validation and governance around the described configuration behavior rather than claiming a specific adversary technique, campaign, or detection implementation.
This assessment is limited to the supplied STIX fields and MITRE external reference for AN0354. Local device vendors, operating systems, logging formats, AAA architecture, and change-management processes will determine whether the suggested telemetry and detections are feasible. No active exploitation, attribution, impact, or guaranteed coverage is implied.
Analytic 0354
Use of command-line like `ip ssh pubkey-chain` to bind SSH keys to privileged accounts on routers or switches.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 860b902414ab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0354Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.