AN0434: Analytic 0434

Non-standard or rare users/locations issue CLI commands like "show clock detail" or "show timezone"; optionally followed by configuration of time/timezone or NTP sources. AAA/TACACS+ accounting and syslog correlate execution to identity, source IP, and privilege level.

EnterpriseAN0434AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because time settings on network devices affect log integrity, incident timelines, authentication troubleshooting, and audit evidence. Rare users or unusual source locations running time-related CLI commands may be benign administration, but they are worth validating because incorrect or manipulated device time can weaken investigations and monitoring confidence.

Executive priority

Treat this as a control-assurance signal for network infrastructure governance. Leaders should ask whether network-device administrative activity is attributable to a named identity, source IP, and privilege level, and whether time/NTP changes are governed by change control. The business value is preserving reliable logs for incident response, compliance evidence, and operational resilience.

Technical view

For Network Devices, validate whether AAA/TACACS+ accounting and syslog record CLI execution for commands such as "show clock detail" and "show timezone," plus any subsequent configuration of time, timezone, or NTP sources. SOC and IR teams should correlate command execution to identity, source IP, device, privilege level, and any approved maintenance window or change record. Because no ATT&CK tactic or relationship context is supplied, this should be handled as a detection analytic for suspicious or unusual administration rather than as a standalone indication of compromise.

Likely telemetry

AAA accounting records for network-device CLI commands
TACACS+ accounting logs where deployed
Network-device syslog command logs
Administrator identity, privilege level, and source IP associated with CLI sessions
Configuration change logs for time, timezone, or NTP settings

Detection direction

Baseline normal users, source locations, and automation accounts that query or configure device time settings.
Alert or review when rare users or unusual source IPs run time/timezone/NTP-related commands on network devices.
Correlate read-only commands with any follow-on configuration changes to time, timezone, or NTP sources.
Tune for expected maintenance activity, standard monitoring checks, and authorized network operations workflows to reduce false positives.
Check for blind spots where CLI accounting is not enabled, syslog is not centralized, identities are shared, or privilege level is missing.

Mitigation priorities

Ensure network devices send AAA/TACACS+ accounting and syslog to a central logging platform.
Require named administrative identities and appropriate privilege separation for network-device access.
Place time, timezone, and NTP configuration changes under change control and periodic review.
Standardize approved NTP sources and monitor for deviations in configuration records.
Retain network-device administrative logs long enough to support incident response and audit needs.

Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique. The key decision point is whether the organization can reliably attribute network-device CLI activity and distinguish approved time administration from unusual behavior. Shared admin accounts, incomplete AAA accounting, or missing command logging materially reduce the usefulness of this analytic.

The supplied ATT&CK fields provide a description but no official detection text, tactics, relationships, procedures, mitigations, or data components. Local baselines, approved admin workflows, and device logging capabilities are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 0434

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: b756a6dc611f52b5...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`b756a6dc611f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0434
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use