AN0845: Analytic 0845
Router/switch receives a knock pattern (same src touches device unicast, broadcast, and network-address on same or stepped ports) followed by ACL/line-vty/service enable and the first mgmt session success.
Analyst context for executives and security teams
AN0845 is a detection analytic for network devices where a router or switch receives an unusual access pattern before management access is enabled and successfully used. For leaders, the value is not the “knock” pattern itself; it is the possibility that a network infrastructure device may transition from being probed to being administratively reachable, which can affect resilience, segmentation, and incident containment.
Executive priority
Treat this as a control-validation item for network infrastructure monitoring. Security leaders should ask whether router and switch management-plane activity is logged, whether configuration changes such as ACL, line-vty, or service enablement are reviewed, and whether first successful management sessions are visible to the SOC. This analytic can support audit and incident-readiness evidence, but only if the organization collects both pre-access traffic context and post-change management activity.
Technical view
The supplied ATT&CK object is a detection analytic for Network Devices. It describes a router or switch receiving a knock-like pattern from the same source to device unicast, broadcast, and network-address destinations on the same or stepped ports, followed by ACL, line-vty, or service enablement and the first successful management session. SOC and detection teams should validate whether they can correlate source, destination type, port sequence or timing, configuration-change events, and management-login success on network devices. No ATT&CK tactic, relationship context, or official detection logic was supplied, so implementation should be treated as environment-specific analytic engineering rather than a complete rule.
Likely telemetry
- Network device traffic or flow records involving management-plane reachable interfaces
- Router and switch logs showing configuration changes, including ACL, line-vty, or service enablement
- Management session authentication logs showing first successful access after a change
- Source IP, destination address type, destination port, and timestamp data sufficient for sequence correlation
- Change-management or administrative activity records for network infrastructure
Detection direction
- Validate that telemetry can distinguish traffic to device unicast, broadcast, and network-address targets where applicable.
- Correlate suspicious pre-access traffic patterns with subsequent management-plane configuration changes and first successful management sessions.
- Tune for legitimate administrative workflows, scanning, monitoring systems, and approved change windows to reduce false positives.
- Prioritize high-confidence alerts when the same source appears in both the pre-change access pattern and the first management session success.
- Document blind spots where network devices do not export sufficient traffic, configuration, or authentication logs.
Mitigation priorities
- Restrict and monitor management-plane access to routers and switches using approved administrative paths only.
- Ensure configuration changes to ACLs, line-vty settings, and management services are logged and reviewed.
- Maintain change-control evidence so SOC teams can separate approved enablement from suspicious activity.
- Centralize network device authentication and configuration telemetry where feasible.
- Test incident response procedures for suspected unauthorized network-device management access.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique. It has no supplied relationships and no official detection text beyond the description. The business value is strongest where network infrastructure devices are critical to segmentation, availability, remote administration, or compliance evidence.
Tactics are not specified, relationships are not supplied, and MITRE did not provide detailed detection logic in the supplied fields. Local device models, logging configuration, address design, management access patterns, and change-management practices are required to make this analytic reliable.
Analytic 0845
Router/switch receives a knock pattern (same src touches device unicast, broadcast, and network-address on same or stepped ports) followed by ACL/line-vty/service enable and the first mgmt session success.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6becdcc35f7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0845Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.