Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1219: Analytic 1219

Detects firmware or script relocation attempts (e.g., CLI-based `copy`, `move`, or `rename`) between temporary partitions and config startup folders on routers or switches.

EnterpriseAN1219AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about watching routers and switches for attempts to move or rename firmware or scripts from temporary locations into startup or configuration-related folders. For leaders, the practical issue is resilience: unauthorized changes on network devices can affect routing, availability, recovery, and trust in the infrastructure that business systems depend on.

Executive priority

Prioritize this where network devices are critical to business continuity, regulated connectivity, or operational environments. The key leadership question is whether the organization can prove it has visibility into configuration and file movement activity on routers and switches, not just servers and endpoints. This analytic supports audit and incident-response readiness by focusing attention on device-level change evidence that may otherwise be missing from SOC monitoring.

Technical view

Validate whether network-device telemetry can show CLI-based copy, move, or rename activity involving temporary partitions and startup/configuration folders. Because ATT&CK does not provide a detection expression for this analytic, SOC teams should translate the behavior into device-specific log logic and change-control correlation. Focus on distinguishing approved firmware maintenance, scripted administration, and backup operations from unexpected relocation of firmware or scripts into startup paths.

Likely telemetry

  • Network device command history or accounting logs
  • Router and switch system logs
  • Configuration change logs
  • File operation events where available
  • Administrative session logs for CLI access

Detection direction

  • Confirm that routers and switches send command and configuration activity to centralized logging.
  • Build or validate logic for copy, move, or rename commands involving temporary partitions and startup/config folders.
  • Correlate device file movement with approved maintenance windows and authorized administrator activity.
  • Tune for legitimate firmware upgrades, configuration backups, and automation jobs to reduce false positives.
  • Identify blind spots where network devices do not log file operations, command accounting is disabled, or logs are not retained centrally.

Mitigation priorities

  • Enable centralized logging and administrative command accounting on supported network devices.
  • Restrict administrative access to network devices using least privilege and approved management paths.
  • Require change-control records for firmware, script, and startup configuration changes.
  • Review device hardening standards to limit unauthorized file modification paths where supported.
  • Test incident-response procedures for validating device integrity and recovering trusted configurations.
Analyst notes and limits

The supplied object is a detection analytic for Network Devices only. It has no supplied tactic, no relationships, and no official detection logic, so implementation depends on local router/switch platforms, logging capabilities, and naming conventions for temporary and startup/configuration locations.

This take is limited to the official STIX fields and external reference provided. It does not establish adversary use, active exploitation, impact, or existing detection coverage. Local validation is required to determine whether the necessary network-device logs exist and whether the analytic can be implemented reliably.

Official MITRE ATT&CK definition

Analytic 1219

Detects firmware or script relocation attempts (e.g., CLI-based `copy`, `move`, or `rename`) between temporary partitions and config startup folders on routers or switches.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
40762ff86c7336f0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 40762ff86c73…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1219
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use