AN0427: Analytic 0427
Detects use of unencrypted protocols (e.g., TFTP, FTP, HTTP) to transfer configuration files, routing tables, or logs to untrusted IP addresses, especially using administrative commands like `copy run ftp:`.
Analyst context for executives and security teams
AN0427 matters because it focuses on network devices sending sensitive operational data—such as configuration files, routing tables, or logs—over unencrypted protocols to untrusted IP addresses. For executives and security leaders, this is a practical resilience issue: exposed device configurations can reveal architecture, access paths, and operational dependencies that would make incident response harder and recovery riskier.
Executive priority
Prioritize this analytic where network devices are critical to business continuity or regulated operations. Leaders should ask whether teams can prove that configuration exports, log transfers, and routing data movement are encrypted, authorized, and sent only to approved destinations. This also supports audit and compliance evidence by showing whether administrative data handling is monitored and controlled.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into network-device administrative transfers involving unencrypted protocols such as TFTP, FTP, and HTTP. The analytic specifically calls out transfers of configuration files, routing tables, or logs to untrusted IP addresses, including administrative command patterns such as `copy run ftp:`. Because no official detection logic is provided, teams need to define local allowlists for approved management servers and investigate deviations by destination, protocol, device, user or session context, and transferred data type where available.
Likely telemetry
- Network device command logs or administrative session logs
- AAA/accounting logs from network infrastructure
- Network flow records showing TFTP, FTP, or HTTP transfers from network devices
- Firewall or network security logs showing destinations and protocols
- Configuration management or backup system logs
Detection direction
- Build detection around network devices initiating unencrypted TFTP, FTP, or HTTP transfers to destinations outside approved management or backup infrastructure.
- Tune using an explicit inventory of network devices and authorized configuration, log, and routing-table collection systems.
- Correlate administrative commands, where logged, with network flows to reduce false positives from approved backup or maintenance activity.
- Pay attention to blind spots where device command logging, AAA accounting, or east-west network flow visibility is incomplete.
- Because ATT&CK provides no official detection logic for this analytic, validate detection behavior with benign administrative test cases and local change-management records.
Mitigation priorities
- Maintain an approved destination list for network-device configuration, routing, and log transfers.
- Prefer encrypted and authenticated management and transfer mechanisms where supported by the device and operational requirements.
- Restrict network-device egress so administrative data cannot be sent to arbitrary IP addresses.
- Ensure administrative command logging and AAA/accounting are enabled for network devices.
- Review configuration backup processes to confirm they do not rely on unencrypted protocols except where formally risk-accepted and monitored.
Analyst notes and limits
This is a detection analytic for the enterprise ATT&CK domain and the supplied platform is Network Devices. No tactics, relationships, or official detection logic were supplied, so this take emphasizes validation questions, telemetry requirements, and control priorities rather than specific ATT&CK technique linkage.
Assessment is limited to the supplied STIX fields and external reference for AN0427. No active exploitation, attribution, relationship context, or guaranteed detection coverage is implied. Local asset inventory, network architecture, administrative workflows, and logging configuration are required to determine applicability and coverage.
Analytic 0427
Detects use of unencrypted protocols (e.g., TFTP, FTP, HTTP) to transfer configuration files, routing tables, or logs to untrusted IP addresses, especially using administrative commands like `copy run ftp:`.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | acda2b186697… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0427Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.