Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1451: Analytic 1451

Crafted ‘synful knock’ patterns toward routers/switches (same src hits interface/broadcast/network address on same port in short order) followed by ACL/telnet/SSH enablement or module change. Detect device image/ACL updates then a new mgmt session.

EnterpriseAN1451AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on suspicious management-plane behavior on network devices: unusual crafted traffic patterns toward routers or switches followed by configuration or access changes such as ACL updates, Telnet/SSH enablement, module changes, device image updates, and a new management session. For leaders, the business issue is not just packet detection; it is whether core network infrastructure can be monitored well enough to spot unauthorized access changes before they affect connectivity, segmentation, or incident containment.

Executive priority

Prioritize this where routers and switches are critical to business continuity, segmentation, remote administration, or compliance evidence. Executives should ask whether network-device configuration changes, image updates, management-session creation, and ACL modifications are centrally logged, reviewed, and correlated with network telemetry. This is a control-assurance issue: if the organization cannot prove who changed device access paths and when, incident response and audit readiness will be weak.

Technical view

Validate whether SOC and network operations can correlate short-window traffic patterns from the same source to interface, broadcast, or network addresses on the same port with subsequent network-device changes. Because the official object lists Network Devices and does not specify ATT&CK tactics or a separate detection field, implementation should be based on the supplied description: look for crafted knock-like patterns followed by ACL, Telnet/SSH enablement, module change, device image update, and then a new management session. IR teams should treat matching activity as a prompt to verify device configuration integrity, authorized change records, and the legitimacy of the new management session.

Likely telemetry

  • Network flow or packet metadata showing source, destination address type, port, and timing toward routers or switches
  • Network device configuration logs for ACL changes
  • Network device logs for Telnet or SSH enablement and management access changes
  • Device image update or software/module change records
  • Management session logs showing new Telnet/SSH or administrative sessions

Detection direction

  • Correlate the same source contacting interface, broadcast, or network addresses on the same port within a short time window, then check for nearby configuration or management-access changes.
  • Tune the analytic to known network management scanners, monitoring systems, backup tools, and approved maintenance windows to reduce false positives.
  • Require follow-on evidence before escalation where possible: ACL update, Telnet/SSH enablement, module change, device image update, or a new management session.
  • Validate logging coverage on routers and switches; this analytic is likely to fail if device configuration logs, management-session logs, or network flow data are missing or not time-synchronized.
  • Because no relationship context is supplied, avoid assuming a specific adversary, campaign, or ATT&CK tactic; use this as behavior-driven infrastructure monitoring.

Mitigation priorities

  • Establish authoritative logging for router and switch configuration changes, image updates, module changes, and management sessions.
  • Restrict and review management-plane access, especially Telnet/SSH enablement and administrative session sources.
  • Enforce change-management approval and reconciliation for ACL, image, and module updates on network devices.
  • Centralize network-device logs and align timestamps with network telemetry so SOC teams can correlate pre-change traffic with post-change access.
  • Periodically validate device configuration baselines and investigate deviations from approved states.
Analyst notes and limits

This is a detection analytic object, not a technique object. The strongest defensive value is in correlation: a suspicious network pattern alone may be noisy, but the pattern followed by device access or configuration changes is more actionable. Network operations context is essential to distinguish authorized maintenance from suspicious management-plane activity.

The supplied ATT&CK fields do not include tactics, relationships, aliases, labels, or an official detection section beyond the description. No active exploitation, attribution, impact, or guaranteed detection coverage can be inferred. Local device models, logging capabilities, management architecture, and change records are required to operationalize and validate this analytic.

Official MITRE ATT&CK definition

Analytic 1451

Crafted ‘synful knock’ patterns toward routers/switches (same src hits interface/broadcast/network address on same port in short order) followed by ACL/telnet/SSH enablement or module change. Detect device image/ACL updates then a new mgmt session.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ec25a82181de04e4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ec25a82181de…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1451
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use