AN1044: Analytic 1044
Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs.
Analyst context for executives and security teams
Analytic 1044 focuses on spotting file-discovery commands run from command-line interfaces on network devices, such as commands that list local storage or configuration-related file areas. For leaders, the practical issue is control of network infrastructure: unexpected file discovery can be an early signal that someone is exploring a device after gaining access, validating what files exist, or preparing for follow-on activity. Its value is highest where network devices are critical to business connectivity and where administrative access patterns are not well baselined.
Executive priority
Prioritize this as a network infrastructure visibility and governance question: can the organization prove who is using CLI access on network devices, from where, and whether commands are normal for that role? This supports incident decision-making, compliance evidence around privileged administration, and resilience planning for critical routing, switching, or perimeter infrastructure. Because no tactic or relationship context is supplied, treat this analytic as a focused control-validation item rather than a complete risk story by itself.
Technical view
Validate whether CLI command activity from network devices is logged with enough detail to identify file discovery commands such as 'dir', 'show flash', and references to 'nvram:'. Detection engineering should focus on command execution events, authenticated user context, source IP, device identity, and deviations from known administrative behavior. Since the official detection field is not provided, teams should build or review logic around unauthorized users, abnormal source IPs, and unusual CLI file enumeration on the supported platform: Network Devices.
Likely telemetry
- Network device CLI command accounting or command history logs
- Authentication and authorization records for network device administrative sessions
- Source IP and session metadata for CLI access
- Device identity, hostname, and management interface logs
- Centralized syslog or network infrastructure log collection
Detection direction
- Confirm that network devices send CLI command telemetry to a central logging platform and that file discovery commands are retained in searchable form.
- Tune detections against expected administrator activity, approved management networks, and normal maintenance windows to reduce false positives.
- Prioritize alerts where file discovery commands are run by unauthorized users, newly observed accounts, or from abnormal source IPs, as described in the official description.
- Check blind spots around devices that do not log command-level activity, logs stored only locally, shared administrator accounts, or incomplete source-IP attribution.
Mitigation priorities
- Restrict network device CLI access to authorized administrators and approved management paths.
- Ensure command accounting, authentication logging, and centralized retention are enabled for network devices where supported.
- Review privileged access practices for network infrastructure, including unique administrator identities and source restrictions.
- Use periodic control testing to confirm that file discovery commands on network devices generate usable evidence for SOC and incident response workflows.
Analyst notes and limits
This object is a detection analytic for Network Devices with no supplied tactic, relationship context, or official detection logic. The most defensible use is to guide telemetry validation and detection tuning for CLI-based file discovery on network infrastructure.
The supplied ATT&CK fields do not provide tactic mapping, related techniques, mitigations, data components, or a formal detection query. Local device types, logging capabilities, administrator baselines, and access architecture are required to determine coverage and severity.
Analytic 1044
Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3e73007cf420… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.