AN1432: Analytic 1432
Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via `enable` mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.
Analyst context for executives and security teams
This analytic matters because privileged or script-capable command-line access to network devices can become a control-plane risk, not just an IT login event. For executives and security leaders, the key decision is whether the organization can distinguish expected administrator access from unusual accounts or unknown source IPs before configuration integrity, connectivity, or incident response visibility is affected.
Executive priority
Prioritize this as a network infrastructure governance and resilience question: who is allowed to enter elevated or automation-capable sessions on network devices, from where, and how that evidence is reviewed. It supports control validation for privileged access, change accountability, SOC readiness, and audit evidence around network administration paths. Because ATT&CK provides no tactic mapping, relationship context, or detailed detection logic here, leaders should treat it as a coverage-validation prompt rather than a complete detection requirement.
Technical view
Validate whether network device authentication and command/session logs can identify CLI interpreter access such as enable mode or scripting-capable sessions, the account used, source IP, device, timestamp, and whether the source is known. SOC and detection teams should baseline expected network administrator and automation accounts, expected management networks, and approved jump hosts, then alert or review access by uncommon accounts or unknown IPs. Incident responders should confirm they can reconstruct the session context and correlate it with authorized change activity.
Likely telemetry
- Network device authentication logs
- CLI session start and privilege elevation events
- Enable-mode access records where available
- Command accounting or session accounting logs
- Source IP and management-plane connection metadata
Detection direction
- Confirm that network devices generate and forward logs for privileged CLI access and scripting-capable sessions; the ATT&CK object does not provide detection logic.
- Build allowlists or baselines for expected administrator accounts, automation accounts, management subnets, and jump hosts.
- Review access by uncommon accounts or from unknown IPs, especially when paired with privilege elevation or script-capable sessions.
- Tune carefully for legitimate emergency administration, new network engineering staff, break-glass use, and automation platform changes.
- Check blind spots such as devices not forwarding logs, local accounts not centrally inventoried, unmanaged management interfaces, and incomplete source IP attribution through jump infrastructure.
Mitigation priorities
- Inventory network devices, approved management paths, administrator accounts, and automation accounts.
- Restrict management access to known administrative networks or controlled jump hosts where feasible.
- Enforce least privilege and review accounts capable of elevated CLI or scripting sessions.
- Centralize and retain network device authentication, privilege, and session accounting logs for SOC and IR use.
- Align alerts with change-management evidence so unusual access can be triaged quickly without suppressing legitimate maintenance activity.
Analyst notes and limits
This Glexia take is based on ATT&CK analytic AN1432, which describes identifying CLI interpreter access on network devices via enable mode or scripting-capable sessions by uncommon accounts or from unknown IPs. No ATT&CK tactics, relationships, aliases, labels, or official detection procedure were supplied, so the guidance focuses on practical validation of telemetry, baselines, and administrative access controls.
The supplied object is a detection analytic with a short description only. It does not include a detection query, data source mappings, related techniques, adversary usage, impact claims, or environment-specific thresholds. Local device types, logging capabilities, identity sources, jump host architecture, and approved administration patterns are required to operationalize it.
Analytic 1432
Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via `enable` mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b25dfad48820… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1432Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.