AN0907: Analytic 0907
Detects interactive or automated use of CLI commands like `show ip sockets`, `show tcp brief`, or SNMP queries for active sessions on routers/switches.
Analyst context for executives and security teams
Analytic 0907 is about spotting attempts to inspect active sessions on network devices using router/switch CLI commands such as `show ip sockets` or `show tcp brief`, or equivalent SNMP queries. For leaders, the value is not the command names themselves; it is whether the organization can see when someone is interactively or automatically enumerating live connections on critical network infrastructure.
Executive priority
Network devices are control points for business connectivity. If defenders cannot observe administrative command use or SNMP-based session queries on routers and switches, incident responders may miss early evidence of reconnaissance against the network layer. This analytic should prompt questions about network-device logging coverage, privileged access governance, SNMP monitoring, and whether SOC processes include infrastructure telemetry rather than only endpoint and cloud logs.
Technical view
For SOC and detection teams, validate whether network-device command accounting, administrative session logs, and SNMP query telemetry are collected from routers and switches. The supplied ATT&CK object does not provide a full detection rule, tactic, or relationship context, so teams should treat this as a coverage-validation analytic: can you identify interactive or automated use of commands like `show ip sockets` and `show tcp brief`, and can you distinguish expected network administration from unusual session-enumeration activity?
Likely telemetry
- Network device CLI command logs or command accounting records
- Administrative login/session logs from routers and switches
- SNMP query logs where available
- Network management system activity records
- AAA/TACACS+/RADIUS records associated with network-device administration
Detection direction
- Confirm that command-level logging is enabled for supported network devices and is forwarded to the SOC or SIEM.
- Look for CLI activity involving active-session inspection commands such as `show ip sockets` or `show tcp brief`, consistent with the official analytic description.
- Where SNMP logging is available, validate visibility into queries that enumerate active sessions on routers or switches.
- Tune detections against known network operations workflows to reduce false positives from authorized troubleshooting.
- Correlate command or SNMP activity with administrator identity, source system, device role, and time of day to identify unusual use.
Mitigation priorities
- Prioritize centralized logging for network-device administrative activity before relying on this analytic operationally.
- Restrict network-device administrative access to approved users, management networks, and authenticated workflows.
- Review SNMP exposure and monitoring practices, including whether queries are attributable to approved management systems.
- Ensure incident response playbooks include collection and review of router/switch command history and management-plane access logs.
- Use the analytic as compliance and audit evidence only where the organization can demonstrate retained logs, alert logic, and investigation procedures.
Analyst notes and limits
This object is a detection analytic for Network Devices in the enterprise ATT&CK domain. It specifically names CLI commands and SNMP queries used to inspect active sessions on routers and switches. No tactics, relationships, aliases, or official detection logic were supplied, so the practical emphasis is on telemetry readiness and analytic validation rather than a complete rule implementation.
The official detection field is not provided, and no relationship context is supplied. This take cannot infer adversary intent, active exploitation, affected vendors, specific ATT&CK techniques, or guaranteed detection outcomes. Local device models, logging configuration, SNMP architecture, and administrative workflows are required to operationalize the analytic.
Analytic 0907
Detects interactive or automated use of CLI commands like `show ip sockets`, `show tcp brief`, or SNMP queries for active sessions on routers/switches.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9a29aeba3324… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0907Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.