AN1194: Analytic 1194
CLI or automated utilities accessing raw device volumes or flash storage directly (e.g., via `copy flash:`, `format`, or `partition` commands).
Analyst context for executives and security teams
This analytic is about spotting direct access to network-device storage, such as flash or raw device volumes, through CLI or automation utilities. For leaders, the risk significance is that storage-level actions on network devices can affect availability, configuration integrity, recovery options, and forensic evidence. Even without a supplied ATT&CK tactic or detection logic, this behavior is worth governance attention because network infrastructure often underpins business continuity.
Executive priority
Prioritize this as a network infrastructure resilience and change-control question: who is allowed to access device storage directly, how is that access approved, and can the organization prove what happened during an incident or audit? Security leaders should validate whether SOC and network operations teams have usable evidence from network devices, AAA/accounting systems, and automation platforms to distinguish approved maintenance from unexpected storage manipulation.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into CLI and automated utility activity on Network Devices where commands or jobs interact directly with flash storage or raw volumes, including examples such as copy, format, or partition-related activity. Because the official detection field is not provided and no relationships or tactics are supplied, treat this as a coverage validation item rather than a complete detection rule. Focus on whether logs preserve command text, user identity, source, device, timestamp, privilege context, and whether the activity came from an interactive session or automation.
Likely telemetry
- Network device CLI command accounting logs
- AAA/TACACS+/RADIUS authentication and command authorization/accounting records
- Network device syslog or event logs for file system, flash, format, copy, or partition-related activity
- Privileged session logs or terminal session recordings where available
- Network automation, orchestration, or configuration management job logs
Detection direction
- Baseline approved storage-level operations during maintenance, software upgrades, backups, and recovery procedures to reduce false positives.
- Correlate storage-access commands with authenticated user, privilege level, source system, change ticket, and automation job identity.
- Alert or review when direct flash/raw-volume activity occurs outside maintenance windows, from unusual accounts, from unexpected management hosts, or without a matching change record.
- Validate whether network devices actually emit command accounting and storage/file-system events; many environments have blind spots if only high-level syslog is collected.
- Separate interactive administrator activity from automation-driven activity so detections do not generate excessive noise from approved tooling.
Mitigation priorities
- Enforce least-privilege administrative access for network devices, especially commands that affect storage, images, partitions, or device file systems.
- Require AAA command accounting and centralized retention for privileged network-device sessions.
- Tie storage-level network-device actions to formal change control, maintenance windows, and named approvals.
- Restrict management access paths to authorized administration hosts and monitored automation systems.
- Maintain reliable configuration and device image backups so recovery is possible if storage-level changes disrupt operations.
Analyst notes and limits
This object is a detection analytic for Network Devices with a narrow official description: CLI or automated utilities accessing raw device volumes or flash storage directly. No ATT&CK tactics, related techniques, official detection text, aliases, labels, or relationships were supplied. The most defensible use is as a detection coverage and logging-readiness checkpoint for network infrastructure operations.
The supplied ATT&CK fields do not provide a detection query, tactic mapping, adversary relationship, impact claim, or vendor-specific platform detail. Local device models, logging configuration, AAA coverage, automation tooling, and change-management data are required to determine practical detection quality and operational priority.
Analytic 1194
CLI or automated utilities accessing raw device volumes or flash storage directly (e.g., via `copy flash:`, `format`, or `partition` commands).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0f5c78d8322c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1194Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.