Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0399: Analytic 0399

Detects unauthorized or anomalous use of command-line interfaces (CLI) on network devices. Focuses on remote access sessions (e.g., SSH/Telnet), privilege escalation within CLI sessions, execution of high-risk commands (e.g., config replace, terminal monitor, no logging), and configuration changes outside of approved windows.

EnterpriseAN0399AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because network device command-line access is often where operational control is changed directly. Unauthorized SSH/Telnet sessions, privilege escalation inside a device CLI, high-risk commands, or configuration changes outside approved windows can affect routing, visibility, logging, and resilience. For leaders, the key issue is whether the organization can prove who accessed network infrastructure, what they changed, when they changed it, and whether those actions were authorized.

Executive priority

Prioritize this as a control-evidence and operational-resilience question for network infrastructure. Executives and risk owners should ask whether network device administration is monitored with enough fidelity to support incident response, change-control audits, and rapid rollback decisions. Because the supplied ATT&CK object is limited to Network Devices and has no tactic or relationship context, the business value is strongest around governance of privileged network administration, SOC visibility, and configuration-change assurance rather than attribution or campaign-specific threat activity.

Technical view

SOC, detection engineering, and IR teams should validate monitoring for anomalous or unauthorized CLI use on network devices, especially remote access sessions such as SSH or Telnet, privilege changes within sessions, execution of high-risk commands such as configuration replacement, terminal monitoring, disabling logging, and configuration changes outside approved maintenance windows. Since the official detection field is not provided, teams should translate the description into local detection logic using available network device logs, AAA records, configuration management records, and change calendars.

Likely telemetry

  • Network device authentication and session logs for SSH and Telnet access
  • AAA/TACACS+/RADIUS authorization and accounting records where available
  • CLI command accounting logs or equivalent command history records
  • Configuration change logs and configuration backup/version records
  • Privilege level or role transition events within administrative sessions

Detection direction

  • Correlate CLI sessions with approved administrators, source locations, access methods, and change tickets.
  • Alert on high-risk commands identified in the ATT&CK description, including config replace, terminal monitor, no logging, and similar commands that alter visibility or device state.
  • Detect configuration changes occurring outside approved windows or without corresponding change records.
  • Validate whether privilege escalation or role changes inside CLI sessions are logged with user identity and timestamp detail.
  • Tune for legitimate emergency changes and scheduled maintenance to reduce false positives, but require after-the-fact evidence for exceptions.

Mitigation priorities

  • Ensure administrative access to network devices is tied to centralized identity, authorization, and accounting where feasible.
  • Require approved change windows and documented exceptions for configuration changes.
  • Enable and retain command accounting, authentication, and configuration-change logs for network devices.
  • Restrict or closely review use of high-risk commands that can replace configuration, alter monitoring, or disable logging.
  • Maintain configuration backups and version history to support rapid comparison and recovery.
Analyst notes and limits

This Glexia take is based only on ATT&CK analytic AN0399 as supplied. The object provides a useful behavioral description but no official detection logic, no tactics, and no relationship context. Treat it as a prompt to validate network device administration monitoring and change-control evidence rather than as a complete detection specification.

The supplied object does not include ATT&CK tactics, related techniques, adversary relationships, or a formal detection section. Local device platforms, logging capabilities, AAA architecture, retention, and change-management practices will determine practical coverage. No claim is made about active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Analytic 0399

Detects unauthorized or anomalous use of command-line interfaces (CLI) on network devices. Focuses on remote access sessions (e.g., SSH/Telnet), privilege escalation within CLI sessions, execution of high-risk commands (e.g., config replace, terminal monitor, no logging), and configuration changes outside of approved windows.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
009946bb9d59f03c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 009946bb9d59…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0399
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use