AN0387: Analytic 0387
Execution of destructive CLI commands such as 'erase startup-config', 'erase flash:' or 'format disk' on routers/switches. Detect privilege level escalation preceding destructive commands.
Analyst context for executives and security teams
This analytic is about spotting destructive command-line activity on network devices, specifically commands that can erase startup configuration, flash storage, or disks on routers and switches. For leaders, the practical issue is operational resilience: if core network devices are wiped or lose configuration, outages can affect business services, incident response coordination, and recovery timelines.
Executive priority
Treat this as a continuity and recovery-control validation item for network infrastructure. Executives and security leaders should ask whether destructive administrative actions on routers and switches are logged, reviewed, and recoverable from known-good configuration backups. The priority is not just detection, but proving that privileged network-device activity can be traced before a disruption and that recovery evidence exists for audit, incident response, and resilience planning.
Technical view
The supplied analytic applies to Network Devices and describes detection of destructive CLI commands such as 'erase startup-config', 'erase flash:', and 'format disk', with attention to privilege level escalation preceding those commands. SOC and IR teams should validate whether network-device command accounting, authentication events, privilege changes, and configuration-change logs are collected and correlated. Because ATT&CK does not provide a separate official detection field or tactic for this object, local implementation should focus on observable command execution and privilege transition evidence rather than assuming broader ATT&CK context.
Likely telemetry
- Network device command accounting or CLI audit logs
- Router and switch authentication and authorization logs
- Privilege level change or escalation events on network devices
- Configuration change logs, including startup/running configuration activity
- Centralized syslog or network management platform records for routers and switches
Detection direction
- Create or validate alerts for destructive CLI commands on routers and switches, including erase or format operations named in the analytic description.
- Correlate destructive commands with preceding privilege level escalation, especially when the same account or session transitions to an elevated role shortly before the command.
- Tune for authorized maintenance windows and approved change records to reduce false positives without suppressing high-risk destructive actions.
- Check blind spots where network devices do not forward command logs, send logs only locally, or lack reliable timestamp synchronization.
- Confirm that detection logic covers both command execution and the context needed for triage: user, device, source session, privilege level, and timing.
Mitigation priorities
- Prioritize centralized logging for network-device administrative sessions and destructive commands.
- Restrict privileged access to routers and switches using role-based administration and approved change processes.
- Require recoverable, tested backups of network device configurations and relevant storage images where applicable.
- Review authorization for commands that can erase configuration or storage, and separate routine administration from destructive maintenance operations.
- Use incident response runbooks that include rapid validation of device state, configuration restoration, and preservation of command-history evidence.
Analyst notes and limits
This object is a detection analytic, not a technique, and no relationships were supplied. The most decision-useful context is the official description: destructive CLI commands on routers and switches and privilege escalation preceding them. Glexia would use this to drive a control validation exercise for network-device logging, privileged access governance, and recovery readiness.
The ATT&CK object does not specify tactics, relationships, or an official detection procedure beyond the description. It supports Network Devices only. Any assessment of exposure, exploitation, or detection coverage requires local device inventory, logging configuration, access-control design, and change-management evidence.
Analytic 0387
Execution of destructive CLI commands such as 'erase startup-config', 'erase flash:' or 'format disk' on routers/switches. Detect privilege level escalation preceding destructive commands.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4434bdad75d8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0387Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.