AN0461: Analytic 0461
Chain: (1) privileged CLI sessions run read-only commands that dump AAA/password policies (e.g., `show aaa`, `show password-policy`); (2) same account changes AAA or user DB shortly after. Use network device AAA/command accounting or syslog.
Analyst context for executives and security teams
AN0461 focuses on a high-value network device behavior pattern: a privileged user first reviews AAA or password policy settings, then soon after changes AAA configuration or the local user database. For leaders, this matters because network device identity controls can determine who can administer routing, switching, and other infrastructure. A suspicious sequence here may indicate preparation for unauthorized access changes, policy weakening, or account manipulation that could affect operational resilience.
Executive priority
Prioritize this analytic where network devices are business-critical and privileged administration is tightly controlled. The key leadership question is whether the organization has usable AAA, command accounting, or syslog evidence to reconstruct privileged activity on network devices. This supports incident decision-making, compliance evidence for administrative control monitoring, and validation that identity governance extends beyond servers and cloud into infrastructure devices.
Technical view
SOC and detection teams should validate whether network device logs capture both sides of the chain: read-only commands that expose AAA or password policy configuration, followed shortly by AAA or user database changes by the same account. Because ATT&CK does not provide a separate detection implementation here, teams should define the local time window, command patterns, device coverage, and account normalization needed to correlate sessions reliably across AAA/command accounting and syslog sources.
Likely telemetry
- Network device AAA accounting logs
- Network device command accounting records
- Network device syslog events
- Privileged CLI session records
- Configuration change events affecting AAA settings or local user databases
Detection direction
- Correlate read-only AAA/password policy inspection commands with subsequent AAA or user database modification by the same account within a locally defined short interval.
- Validate that command logging includes privileged CLI commands, not only login/logout events.
- Tune expected administrative workflows, such as approved maintenance windows or documented access reviews, to reduce false positives.
- Check for blind spots where network devices do not forward command accounting or where syslog lacks command detail.
- Normalize account names across AAA and device logs so the same administrator is not represented inconsistently.
Mitigation priorities
- Ensure network devices send AAA, command accounting, and relevant syslog events to monitored log infrastructure.
- Restrict and review privileged access to AAA configuration and local user database management functions.
- Require change control or documented approval for AAA and user database modifications on network devices.
- Periodically test whether privileged CLI activity can be reconstructed during an incident.
- Use detection output as a review trigger rather than proof of malicious activity, since legitimate administrators may inspect policy before making authorized changes.
Analyst notes and limits
This object is a detection analytic for Network Devices. Its value is in correlating a sequence of privileged administrative behavior, not in identifying a specific adversary or campaign. Since no relationship context and no official detection logic were supplied, implementation details such as exact command lists, time windows, severity, and exception handling must be defined from local device platforms and administrative procedures.
The supplied ATT&CK fields do not specify tactics, related techniques, mitigations, data components, or a complete detection query. No active exploitation, attribution, impact outcome, or guaranteed detection coverage can be inferred. Local logging quality and command accounting coverage will determine whether this analytic is actionable.
Analytic 0461
Chain: (1) privileged CLI sessions run read-only commands that dump AAA/password policies (e.g., `show aaa`, `show password-policy`); (2) same account changes AAA or user DB shortly after. Use network device AAA/command accounting or syslog.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f069adc4499f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0461Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.