AN0885: Analytic 0885
Execution of CLI commands erasing file systems or storage (erase flash:, format disk, erase nvram:). Detect authentication events followed by destructive commands within the same privileged session.
Analyst context for executives and security teams
AN0885 is a detection analytic for network devices focused on privileged CLI sessions where authentication is followed by destructive storage or file-system erase activity. For leaders, the importance is operational resilience: if a router, switch, firewall, or similar network device has its storage or startup configuration erased, recovery can become slower and more manual unless access control, logging, backups, and incident procedures are already validated.
Executive priority
Treat this as a control-validation item for critical network infrastructure. Security leaders should ask whether privileged network-device sessions are attributable to named users, whether destructive administrative commands are logged centrally, and whether recovery evidence exists through configuration backups and tested restore procedures. This analytic also supports audit and incident-readiness conversations because it depends on proving that authentication events and privileged command activity can be correlated within the same session.
Technical view
For SOC, detection engineering, and IR teams, the core validation is whether network-device authentication events can be joined to privileged CLI command accounting in the same session. The analytic is scoped to Network Devices and references destructive file-system or storage commands such as erase or format activity against flash, disk, or NVRAM. Because no ATT&CK tactic, relationship context, or formal detection logic is supplied, teams should implement this as a high-severity behavioral correlation and tune it against known maintenance windows, authorized break-glass activity, and device lifecycle operations.
Likely telemetry
- Network-device authentication logs for privileged access
- CLI command accounting or session command logs
- Centralized syslog or management-plane logs from network devices
- Privileged session identifiers, usernames, source addresses, timestamps, and device identifiers
- Change-management or maintenance-window records for false-positive review
Detection direction
- Confirm that authentication events and CLI command activity can be correlated to the same privileged session, not just the same device or username.
- Alert on destructive storage, file-system, or NVRAM erase/format commands on network devices, with priority based on device criticality.
- Tune against expected administrative workflows such as approved decommissioning, lab work, break-fix maintenance, and scheduled replacement activities.
- Validate coverage for devices that do not forward full command accounting; absence of CLI telemetry is a material blind spot for this analytic.
- Preserve session context for incident response, including authenticated identity, source location, device role, time sequence, and any related configuration changes.
Mitigation priorities
- Require strong privileged-access governance for network devices, including named accounts or attributable access paths where feasible.
- Enable centralized logging for authentication and privileged CLI command activity on supported network devices.
- Restrict or tightly control use of destructive storage and configuration erase actions through administrative policy and role design.
- Maintain current network-device configuration backups and test restore procedures for critical infrastructure.
- Align alert handling with change-management records so authorized maintenance can be distinguished from suspicious destructive activity.
Analyst notes and limits
The decision value of AN0885 is in proving session-level visibility over privileged network-device administration. It is especially useful for readiness assessments because many environments collect device syslog but not complete command accounting, which can prevent reliable confirmation of who issued a destructive command and whether it was authorized.
The supplied ATT&CK object provides a concise description but no formal detection logic, tactics, mitigations, relationships, or adversary context. Local device types, logging capabilities, administrative workflows, and change records are required to determine severity, tuning, and actual coverage.
Analytic 0885
Execution of CLI commands erasing file systems or storage (erase flash:, format disk, erase nvram:). Detect authentication events followed by destructive commands within the same privileged session.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5d9a47c88932… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0885Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.