This analytic detects Cisco IOS-XE CLI activity where an operator issues the command: 'request platform software package describe' in conjunction with suspicious shell-style filename patterns (for example patterns containing bash), indicative of Salt Typhoon tradecraft. The rule ingests Cisco IOS logs (sourcetype cisco:ios) and filters on AAA/HA_EM facilities with relevant accounting or logging mnemonics (AAA_ACCOUNTING_MESSAGE, LOG) and a message_text that includes both the command and malicious filename patterns such as --filename=/(bash)n* or --filename=$(bash)n*. The detection aggregates results by destination (dest), reporting first/last seen times and the associated shell-pattern message. It requires visibility into CLI commands (AAA accounting or EEM catchall logging) to be effective. The analytic is categorized under network assets and is aligned with MITRE ATT&CK techniques related to command-line interfaces and potentially exploitation via command execution. The rule is labeled with the Salt Typhoon storyline. References include CISA advisories and Talos’ Salt Typhoon analysis. For analysts, drilldown queries are provided to view results per destination and to examine recent risk events. The finding notes that a suspicious request platform package describe command was observed on the identified host, enabling rapid investigation. This rule does not list known false positives at this time.