AN0936: Analytic 0936
Execution of `erase`, `format`, and `reload` in immediate sequence from a privileged AAA session
Analyst context for executives and security teams
This analytic matters because it points to a destructive administrative sequence on network devices: privileged AAA activity that runs erase, format, and reload in immediate succession. For executives and security leaders, the business issue is not just command execution; it is the potential loss or disruption of routing, switching, or other network infrastructure if such commands are unauthorized or poorly controlled.
Executive priority
Prioritize this as a resilience and privileged-access governance question for network infrastructure. Leaders should ask whether privileged network-device sessions are centrally authenticated, logged, retained, and reviewed; whether emergency changes are distinguishable from unauthorized destructive activity; and whether incident responders have current recovery procedures for device configuration loss or reload events. This can also support audit evidence around administrative accountability and change control, but local logging and AAA coverage determine usefulness.
Technical view
SOC and IR teams should validate whether network-device AAA logs capture privileged session identity, command accounting, timestamps, device identity, source address, and command order closely enough to identify an immediate erase, format, and reload sequence. Because the official object provides no detection logic and no tactic mapping, teams should treat this as a detection validation prompt rather than a complete rule. The key technical test is whether command accounting can reconstruct the sequence from a privileged session across supported Network Devices.
Likely telemetry
- AAA authentication, authorization, and accounting records for network devices
- Privileged command accounting logs showing erase, format, and reload commands
- Network device syslog or management-plane logs
- Session metadata such as administrator identity, source address, device name, privilege level, and timestamps
- Change-management records or maintenance-window evidence for expected administrative activity
Detection direction
- Confirm that command accounting is enabled for privileged network-device sessions, not only login/logout events.
- Correlate erase, format, and reload commands by same session, user, device, and close timestamp proximity.
- Tune for authorized maintenance and break-glass procedures to reduce false positives while preserving high-priority review of destructive command sequences.
- Validate timestamp accuracy and log retention for network devices, because sequence-based analytics are weak if clocks, forwarding, or retention are inconsistent.
- Review blind spots where local console access, unmanaged devices, incomplete AAA integration, or missing command accounting could bypass the analytic.
Mitigation priorities
- Enforce centralized AAA for network-device administration where applicable.
- Restrict destructive commands to tightly controlled privileged roles and approved operational procedures.
- Require change approval and maintenance-window documentation for device erase, format, or reload activity.
- Ensure resilient collection and retention of network-device administrative logs.
- Maintain tested recovery procedures and current configuration backups for network devices.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and its official description is limited to the immediate sequence of erase, format, and reload from a privileged AAA session. There are no supplied relationships, tactic mappings, aliases, labels, or official detection text. The practical value is in using the object to verify whether network-device administrative telemetry can support sequence-based detection and incident review.
This take is limited to the supplied STIX fields and external reference. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection. Local device types, AAA configuration, command syntax variations, logging fidelity, and change-management practices are required to determine coverage and alert quality.
Analytic 0936
Execution of `erase`, `format`, and `reload` in immediate sequence from a privileged AAA session
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0161cdb4d639… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0936Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.