AN1073: Analytic 1073
Collection of device configuration via CLI commands (e.g., `show running-config`, `copy flash`, `more`), often followed by TFTP/SCP transfers.
Analyst context for executives and security teams
This analytic matters because network device configurations often contain the information needed to understand, alter, or recover critical routing, access, and management behavior. The ATT&CK object describes collection of configuration from network devices through CLI commands, with possible follow-on transfer by TFTP or SCP. For leaders, the key issue is whether the organization can prove who accessed device configurations, when configuration data was viewed or copied, and whether transfers left the device through approved channels.
Executive priority
Treat this as a resilience and governance question for network infrastructure: are configuration files protected, monitored, and recoverable with enough evidence to support incident response and audit needs? Priority should be highest for environments where network devices support critical business operations, remote access, segmentation, cloud connectivity, or cyber-physical operations. Budget and control decisions should focus on centralized network device logging, privileged access governance, approved configuration backup workflows, and evidence retention.
Technical view
For SOC, detection engineering, and IR teams, validate visibility on Network Devices for CLI activity involving configuration display or file access, and correlate that activity with management-session logs and outbound file-transfer events such as TFTP or SCP where available. Because ATT&CK provides no official detection logic for AN1073, teams should build local baselines for authorized administrator configuration review and backup behavior, then investigate unusual users, devices, timing, source management hosts, or transfer destinations. IR playbooks should include confirming whether configuration data was merely viewed, exported, or transferred from the device.
Likely telemetry
- Network device command accounting / CLI logs
- AAA, TACACS+, RADIUS, or equivalent administrator authentication and authorization logs
- Network device system logs for configuration access and file operations
- Management session metadata such as SSH, console, or remote administration source information
- File transfer logs or network telemetry for TFTP and SCP involving network devices
Detection direction
- Confirm whether command accounting is enabled and retained for network devices; syslog alone may not capture enough CLI detail.
- Baseline approved configuration review and backup workflows so routine administration does not overwhelm alerting.
- Correlate configuration-related CLI activity with administrator identity, source host, device role, and change ticket or maintenance window where available.
- Look for configuration access followed closely by file-transfer activity from the same device, especially to nonstandard destinations.
- Tune for false positives from legitimate network engineering, backup, compliance, and disaster-recovery processes.
Mitigation priorities
- Restrict configuration access to authorized administrative roles and approved management paths.
- Use centralized AAA and command accounting for network devices where supported.
- Standardize approved configuration backup and transfer procedures, and monitor deviations from them.
- Limit and monitor file-transfer services used by network devices, including TFTP and SCP, according to operational need.
- Retain network device logs long enough to support incident response, compliance evidence, and post-event reconstruction.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and no tactics or relationship context were provided. The description is narrow but operationally important: collection of device configuration through CLI commands and possible subsequent transfer. Glexia would treat this as a validation point for network infrastructure monitoring, privileged access governance, and incident response evidence quality.
ATT&CK does not provide official detection logic for this analytic, and no related techniques, mitigations, groups, software, campaigns, or data components were supplied. Local device types, logging capabilities, administrative workflows, and approved backup processes are required to determine practical detection coverage and alert thresholds.
Analytic 1073
Collection of device configuration via CLI commands (e.g., `show running-config`, `copy flash`, `more`), often followed by TFTP/SCP transfers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 298d6a3b81f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1073Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.