Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1542: Analytic 1542

Monitor CLI 'reload' commands issued without scheduled maintenance, and correlate to TACACS+/AAA logs for privilege validation.

EnterpriseAN1542AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because an unscheduled network device CLI “reload” command can be an early decision point for availability risk and administrator misuse or compromise. For leaders, the value is not just alerting on the command; it is proving whether the action was authorized, performed by the right privilege level, and aligned to an approved maintenance window.

Executive priority

Prioritize this where network device availability is material to business operations. Security and infrastructure leaders should ask whether reload activity is logged, tied to named administrators through TACACS+/AAA, and reconciled with maintenance approvals. This also supports audit evidence for privileged access oversight and change-control discipline.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring of CLI “reload” commands on network devices and correlate each event with TACACS+/AAA authentication, authorization, and accounting records. The key triage question is whether the command occurred outside scheduled maintenance and whether the account/session had validated privilege to perform it. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused network-device administrative activity analytic rather than a broader intrusion pattern by itself.

Likely telemetry

  • Network device CLI command accounting logs showing “reload” commands
  • TACACS+/AAA authentication, authorization, and accounting logs
  • Privileged administrator identity and session records
  • Network device system logs indicating reload or reboot events
  • Approved maintenance/change-management schedules

Detection direction

  • Alert on CLI “reload” commands issued outside approved maintenance windows.
  • Correlate command execution to TACACS+/AAA records to validate user identity, privilege level, and session context.
  • Tune for authorized maintenance, emergency changes, lab devices, and automation accounts to reduce false positives.
  • Check for blind spots where network devices do not send command accounting logs or where AAA is bypassed/local-only.
  • Validate time synchronization across network devices, AAA infrastructure, and SIEM so maintenance-window correlation is reliable.

Mitigation priorities

  • Require centralized AAA/TACACS+ for privileged network device administration where applicable.
  • Enforce least-privilege administrative roles for commands that can affect device availability.
  • Maintain and integrate approved maintenance/change records with monitoring workflows.
  • Ensure network device command accounting and system logs are collected, retained, and reviewed.
  • Define an incident response path for unscheduled reload commands, including privilege validation and operational impact assessment.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Network Devices with a narrow official description: monitor CLI “reload” commands outside scheduled maintenance and correlate with TACACS+/AAA logs for privilege validation. The strongest defensive value comes from joining command telemetry, identity/AAA evidence, and change-control context.

No official detection logic, tactic mapping, relationships, adversary context, or procedure examples were supplied. Local device types, logging capabilities, AAA configuration, maintenance processes, and SIEM coverage must be validated before judging detection effectiveness.

Official MITRE ATT&CK definition

Analytic 1542

Monitor CLI 'reload' commands issued without scheduled maintenance, and correlate to TACACS+/AAA logs for privilege validation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c97e214e4726eb13...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c97e214e4726…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1542
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use