AN0893: Analytic 0893
Execution of commands disabling AAA, logging, or security features on routers/switches. Detect privilege escalation followed by config changes that disable defense mechanisms.
Analyst context for executives and security teams
This analytic focuses on network devices where an administrator-level action disables core defensive controls such as AAA, logging, or other security features on routers and switches. For leaders, the significance is resilience: if these controls are turned off, identity accountability, audit evidence, and SOC visibility can degrade quickly during an incident or operational change.
Executive priority
Treat this as a control-assurance and incident-readiness priority for network infrastructure. Executives and risk owners should ask whether changes to AAA, logging, and security-related configuration on routers and switches are monitored, approved, and recoverable. The business risk is not just unauthorized access; it is loss of evidence and reduced ability to determine what happened during an outage, compromise, or compliance review.
Technical view
The supplied ATT&CK object describes detection of privilege escalation followed by configuration changes that disable defensive mechanisms on network devices. SOC, IR, and network engineering teams should validate whether they can correlate administrative privilege changes or elevated sessions with subsequent configuration commands that disable AAA, logging, or security features. Because no official detection logic is provided, local implementation must be based on available network-device logs, configuration-change records, authentication/authorization events, and change-management context.
Likely telemetry
- Network device authentication and authorization events
- AAA configuration change logs
- Router and switch command accounting records, where available
- Configuration archive or configuration-diff records
- Syslog or equivalent network-device logging streams
Detection direction
- Validate that routers and switches send logs to a centralized location before relying on device-local evidence, because the behavior of interest may disable logging itself.
- Correlate privilege escalation or elevated administrative access with configuration changes that disable AAA, logging, or security controls.
- Tune detections against approved maintenance activity to reduce false positives, but require strong evidence for any change that weakens authentication, authorization, accounting, or logging.
- Alert on unexpected loss or reduction of network-device logging, especially when paired with administrative access or configuration modification.
- Confirm coverage across supported platform scope: Network Devices. Do not assume endpoint, cloud, or identity-platform telemetry will observe this behavior unless integrated with network-device administration logs.
Mitigation priorities
- Establish hardened baseline configurations for AAA, logging, and security features on routers and switches.
- Require controlled, auditable change processes for disabling or weakening network-device defensive controls.
- Centralize network-device logs and configuration-change evidence so records survive local device configuration changes.
- Restrict and review privileged administrative access to network devices.
- Maintain configuration backups and compare current device state against approved baselines after security events or suspicious administrative activity.
Analyst notes and limits
This object is a detection analytic, not a technique, and it has no supplied tactic mapping or relationship context. Its strongest operational value is as a validation prompt: can the organization prove when network-device defensive controls are disabled, by whom, from where, and under what approval?
Official detection content is not provided, and no relationships are supplied. The take is therefore limited to the official description, platform scope, and external reference. Local device types, logging capabilities, AAA design, and change-management data are required to build reliable detections.
Analytic 0893
Execution of commands disabling AAA, logging, or security features on routers/switches. Detect privilege escalation followed by config changes that disable defense mechanisms.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6daa8c247025… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0893Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.