AN1287: Analytic 1287
Login activity from default admin credentials (e.g., 'admin', 'cisco') on routers, firewalls, and switches.
Analyst context for executives and security teams
This analytic focuses on successful or attempted logins to routers, firewalls, and switches using default administrator credentials such as “admin” or “cisco.” For leaders, the issue is not just weak passwords; it is whether core network infrastructure can be trusted to enforce segmentation, availability, and incident containment. If default credentials still work, a routine security gap can become a business-continuity risk because network devices sit in the path of access, traffic control, and recovery operations.
Executive priority
Treat this as a control-validation priority for network infrastructure hygiene. Executives and risk owners should ask whether the organization can prove that default administrative accounts are removed, changed, or blocked across routers, firewalls, and switches, and whether authentication events from those devices are visible to the SOC. This can support audit evidence, resilience planning, and incident decision-making, especially where network devices protect critical business services.
Technical view
SOC and detection teams should validate whether authentication activity from network devices is centrally collected and whether logins using known default administrator usernames are distinguishable from legitimate administrative access. Because the ATT&CK object provides no official detection logic and no tactic mapping, teams should treat AN1287 as a focused analytic requirement: identify login events on routers, firewalls, and switches where the account name matches default administrative credentials, then review success/failure status, source address, device role, and whether the account should exist at all.
Likely telemetry
- Network device authentication logs from routers, firewalls, and switches
- Syslog or equivalent device event streams containing login success and failure records
- Central authentication records where network devices use AAA services such as RADIUS or TACACS+
- Asset inventory identifying network devices and their administrative interfaces
- Account/configuration evidence showing whether default administrator accounts remain enabled
Detection direction
- Confirm that network-device login events are collected centrally and normalized with username, device, source address, timestamp, and success/failure status.
- Build or validate logic for default administrator usernames referenced by the analytic description, including examples such as “admin” and “cisco,” while tuning for locally approved break-glass or migration cases.
- Prioritize successful logins, repeated failures, and default-account activity against high-value network devices such as firewalls, routers, and core switches.
- Use asset context to reduce noise: the same username may be benign on a non-network system but material on a network device administrative interface.
- Identify blind spots where device logs are local-only, overwritten quickly, not forwarded to the SIEM, or missing source IP and authentication outcome fields.
Mitigation priorities
- Inventory routers, firewalls, and switches and verify whether default administrative credentials or accounts remain enabled.
- Change or disable default administrator credentials during provisioning and after device resets or replacements.
- Centralize administrative authentication where appropriate and retain device login logs for SOC review and incident response.
- Restrict administrative access to approved management paths and authorized personnel.
- Periodically audit network-device configurations and authentication logs to provide compliance evidence that default credentials are not in use.
Analyst notes and limits
AN1287 is a detection analytic object for Network Devices with the official description: login activity from default admin credentials on routers, firewalls, and switches. No official detection text, tactics, labels, aliases, or relationship context were supplied, so this take emphasizes validation questions and defensive implementation considerations rather than a specific detection rule.
The supplied ATT&CK fields do not include detection logic, related techniques, data sources, mitigations, adversary usage, or impact claims. Local device types, logging formats, authentication architecture, account naming standards, and approved administrative exceptions are required before operationalizing or scoring this analytic.
Analytic 1287
Login activity from default admin credentials (e.g., 'admin', 'cisco') on routers, firewalls, and switches.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8f2616bf0a97… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1287Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.