AN0830: Analytic 0830

Execution of destructive CLI commands such as format flash:, format disk, or equivalent vendor-specific commands that erase filesystem structures. Detection correlates AAA logs showing privileged access with immediate format/erase commands.

EnterpriseAN0830AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because destructive commands on network devices can remove local filesystems or storage structures and disrupt recovery, availability, and operations. For executives and security leaders, the decision point is whether privileged network-device administration is observable enough to prove who accessed a device and whether a destructive command followed.

Executive priority

Prioritize this as an operational resilience and privileged-access governance issue for network devices. Leaders should ask whether AAA logging is consistently enabled, retained, and reviewed for privileged sessions, and whether destructive administrative actions such as format or erase commands would trigger rapid incident response. This also supports audit evidence around administrative accountability and change control.

Technical view

The supplied ATT&CK analytic describes correlating AAA logs that show privileged access with immediate execution of destructive CLI commands such as format flash:, format disk, or equivalent vendor-specific erase/format commands on network devices. SOC and IR teams should validate whether network-device AAA events and command accounting are collected centrally, time-synchronized, and searchable by user, device, privilege level, session, and command. No ATT&CK tactics or relationship context were supplied, so detection engineering should stay focused on the described behavior rather than inferred campaign context.

Likely telemetry

Network device AAA authentication, authorization, and accounting logs
Privileged administrative session records
Command accounting logs showing format, erase, or vendor-equivalent destructive filesystem commands
Device identifiers, usernames, privilege levels, timestamps, and session correlation fields
Change-management or maintenance-window records for false-positive review

Detection direction

Confirm that AAA command accounting captures the relevant destructive commands on supported network devices.
Correlate privileged access with near-term execution of format, erase, or equivalent vendor-specific commands.
Tune for authorized maintenance activity to reduce false positives, but require evidence of approved change context.
Validate timestamp consistency across AAA servers, log collectors, and network devices.
Identify blind spots where devices do not send command accounting, logs are stored only locally, or privileged shared accounts prevent user attribution.

Mitigation priorities

Ensure privileged network-device access is tied to accountable identities rather than unmanaged shared use.
Enable and centrally retain AAA and command accounting logs for network devices.
Require change approval and operational safeguards for destructive filesystem commands.
Review administrative privilege assignments for users able to execute format or erase operations.
Test incident response procedures for rapid triage when destructive network-device commands are observed.

Analyst notes and limits

This take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic for Network Devices and specifically references destructive CLI commands and AAA log correlation. No relationships, aliases, labels, tactics, or official detection logic were supplied.

ATT&CK did not provide a separate official detection section for this object, and no relationship context was supplied. Local validation is required to determine which network-device platforms, command syntaxes, AAA configurations, retention policies, and authorized maintenance patterns apply.

Official MITRE ATT&CK definition

Analytic 0830

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 12287f23f877fb34...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`12287f23f877…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0830
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use