Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1159: Analytic 1159

Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings.

EnterpriseAN1159AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic highlights a high-value network-device risk: configuration backups or CLI access can expose plaintext passwords, local user hashes, or SNMP strings. For leaders, the issue is not only unauthorized access to a router, switch, or firewall; it is whether device management practices could turn routine administration or backup activity into credential exposure that enables broader operational disruption.

Executive priority

Prioritize this as an identity, network resilience, and audit-evidence concern for environments with managed network devices. Executives should ask who can run configuration backups or privileged CLI commands, where those outputs are stored, whether secrets are protected, and whether the SOC can distinguish authorized administration from suspicious credential-dumping behavior. The business decision value is in reducing the blast radius of exposed device credentials and proving control over privileged network administration.

Technical view

For SOC, IR, and detection engineering teams, validate visibility around Network Devices where configuration backup utilities or CLI access may output passwords, local user hashes, or SNMP strings. Because the ATT&CK object provides no official detection logic and no tactic mapping, teams should treat this as a detection validation requirement: confirm whether device management logs, AAA/authentication records, configuration archive events, command accounting, and backup-system activity can show who accessed configuration data, from where, when, and whether output was exported or stored.

Likely telemetry

  • Network device CLI command accounting and administrative session logs
  • AAA, TACACS+, RADIUS, or equivalent authentication and authorization logs for network device administration
  • Configuration backup job logs and configuration archive access records
  • Network device configuration change and configuration export events
  • Management-plane access logs, including source host, user, time, and device

Detection direction

  • Validate that authorized configuration backup utilities and privileged CLI sessions are logged with user, source, target device, and command or action context.
  • Baseline normal backup schedules, administrator accounts, management hosts, and device groups so unusual timing, source systems, or users can be reviewed without overwhelming the SOC.
  • Tune for access to configuration outputs that may contain plaintext passwords, local user hashes, or SNMP strings, while accounting for legitimate network engineering maintenance and backup operations.
  • Check blind spots around devices that do not forward command accounting, backups stored outside monitored repositories, shared administrative accounts, and management-plane access that bypasses centralized AAA.
  • Because no official ATT&CK detection is supplied, validate detections through local log availability and approved administrative workflows rather than assuming coverage from the analytic name alone.

Mitigation priorities

  • Restrict configuration backup and privileged CLI access to approved administrators, managed hosts, and documented workflows.
  • Use centralized authentication, authorization, and accounting for network device administration where supported, and minimize shared local accounts.
  • Protect stored configuration backups as sensitive credential material with access control, retention governance, and monitoring.
  • Reduce secret exposure in device configurations where platform capabilities allow, including stronger handling of passwords, hashes, and SNMP strings.
  • Review administrative access and backup procedures as part of incident response readiness, compliance evidence, and network-device hardening programs.
Analyst notes and limits

This object is a detection analytic for Network Devices, not a full ATT&CK technique entry. The available official description focuses on configuration backup utilities or CLI access being used to dump plaintext passwords, local user hashes, or SNMP strings. There are no supplied relationships, aliases, tactic mappings, or official detection details, so the strongest use is as a prompt to validate telemetry and controls around network-device configuration access.

The supplied ATT&CK fields do not include detection logic, related techniques, threat actors, campaigns, mitigations, or active exploitation context. Local device platforms, logging capabilities, backup architecture, and administrative workflows are required to turn this into precise detection content.

Official MITRE ATT&CK definition

Analytic 1159

Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
95389e1d05a44518...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 95389e1d05a4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1159
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use