AN1519: Analytic 1519
CLI-based export of private key material (e.g., 'crypto pki export') with anomalous user session or AAA role escalation.
Analyst context for executives and security teams
This analytic focuses on network device administrators or sessions exporting private key material through the command line, especially when paired with unusual session behavior or AAA role escalation. For leaders, the issue is not just a suspicious command: private keys are trust anchors, and unauthorized export can undermine device identity, secure management, and other services that rely on those keys.
Executive priority
Treat this as a high-value control validation area for network infrastructure governance. Executives and risk owners should ask whether network device administrative activity is centrally logged, whether AAA roles prevent unnecessary access to key material, and whether the organization can prove who exported sensitive cryptographic material and why. This is relevant to incident response readiness, privileged access oversight, compliance evidence, and resilience of network trust services.
Technical view
SOC and detection teams should validate visibility on Network Devices for CLI command accounting, administrative session context, and AAA authorization changes. The analytic description specifically ties private-key export behavior to anomalous user sessions or AAA role escalation, so detection should correlate key-export commands with user identity, source, session timing, privilege level, and recent role changes. Because no official detection logic is supplied, teams should build local baselines for legitimate certificate/key administration and tune alerts around rare export activity, unexpected users, unusual access paths, or privilege changes preceding the action.
Likely telemetry
- Network device CLI command accounting logs
- AAA authentication, authorization, and accounting records
- TACACS+/RADIUS administrative session logs where used
- Privilege or role escalation events on network devices
- Administrative session metadata such as user, source address, time, device, and privilege level
Detection direction
- Confirm that network device CLI commands are logged centrally and retained with user and session context.
- Correlate private-key export activity with AAA role changes, privilege elevation, and anomalous administrative sessions.
- Baseline legitimate certificate and key maintenance workflows to reduce false positives from approved rotations or migrations.
- Alert on rare or unexpected users performing key export activity, especially outside maintenance windows or from unusual sources.
- Validate that logs distinguish command execution from login success alone; authentication logs without command accounting may miss the behavior.
Mitigation priorities
- Limit private-key export capability to the smallest set of approved administrative roles.
- Review AAA role design, privileged access workflows, and separation of duties for network device cryptographic administration.
- Require documented change control for certificate or key export operations where applicable.
- Centralize and retain network device command accounting and AAA logs for investigation and audit evidence.
- If unauthorized export is suspected, treat the affected key material as potentially exposed and follow local incident response procedures for certificate/key replacement and trust review.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and it has no tactic mapping or relationship context. The practical value is in validating whether the organization can observe and govern sensitive cryptographic administration on network devices, especially when privilege changes or unusual sessions occur.
Official detection logic was not provided, and no relationships, procedures, threat actors, or active exploitation claims were supplied. Local device models, AAA architecture, logging configuration, and approved operational workflows are required to determine detection fidelity and risk severity.
Analytic 1519
CLI-based export of private key material (e.g., 'crypto pki export') with anomalous user session or AAA role escalation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 749bcbc130ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1519Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.