T1059.008

Network Device CLI

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.

Microsoft Sentinel / Defender

kusto

let SuspiciousCommands = dynamic([
  "copy running-config", "copy startup-config",
  "configure terminal", "config t",
  "no logging", "no ip access-list",
  "ip route", "access-list permit any any",
  "snmp-server community", "enable secret",
  "boot system", "upgrade",
  "debug", "undebug all",
  "crypto key generate", "username privilege 15",
  "line vty", "transport input all",
  "no service password-encryption",
  "archive download-sw", "copy tftp: flash:"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Facility == "local7" or Facility == "local6" or ProcessName has_any ("cisco", "ios", "nxos", "junos")
| where SyslogMessage has_any (SuspiciousCommands)
| extend ConfigChange = SyslogMessage has_any ("configure terminal", "config t", "copy running-config")
| extend SecurityDisable = SyslogMessage has_any ("no logging", "no ip access-list", "no service password-encryption")
| extend FirmwareChange = SyslogMessage has_any ("boot system", "archive download-sw", "copy tftp: flash:")
| extend PrivEsc = SyslogMessage has_any ("username privilege 15", "enable secret")
| project TimeGenerated, Computer, Facility, SyslogMessage,
         ConfigChange, SecurityDisable, FirmwareChange, PrivEsc
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Application Log: Application Log Content Syslog

Required Tables

Syslog

False Positives

Network engineers performing scheduled maintenance windows with configuration changes
Automated network management tools (Ansible, NAPALM, Oxidized) making approved configuration backups
Firmware upgrades during planned change windows

Elastic Security (EQL)

eql

any where (
  event.dataset : ("network.cisco_ios", "network.cisco_asa", "network.juniper_junos", "network.cisco_nxos") or
  tags : ("cisco", "juniper", "network-device", "network-syslog") or
  log.syslog.facility.name : ("local6", "local7")
) and (
  message : "*configure terminal*" or
  message : "*config t*" or
  message : "*copy running-config*" or
  message : "*copy startup-config*" or
  message : "*no logging*" or
  message : "*no ip access-list*" or
  message : "*no service password-encryption*" or
  message : "*access-list permit any any*" or
  message : "*boot system*" or
  message : "*archive download-sw*" or
  message : "*copy tftp:*" or
  message : "*copy ftp:*" or
  message : "*username*privilege 15*" or
  message : "*enable secret*" or
  message : "*transport input all*" or
  message : "*snmp-server community*" or
  message : "*crypto key generate*" or
  message : "*line vty*"
)

high severity medium confidence

Data Sources

Cisco IOS syslog (Filebeat cisco module or direct UDP syslog input) Cisco ASA syslog (Logstash or Elastic Agent network integration) Juniper JunOS syslog (Elastic Agent or Filebeat syslog input) Cisco NX-OS syslog (Filebeat or custom Logstash pipeline) Generic syslog with facility local6/local7 (network device convention)

Required Tables

logs-network.cisco_ios-* logs-network.cisco_asa-* logs-network.juniper_junos-* logs-system.syslog-* logs-*

False Positives

Scheduled maintenance windows where administrators perform planned configuration changes such as ACL updates, route additions, or software upgrades — correlate with approved change tickets
Automated network configuration management tools (Ansible, NAPALM, Cisco DNA Center, Netmiko scripts) that regularly push configs and generate CLI command syslog entries during authorized automation runs
Routine firmware upgrade cycles where 'boot system' and 'copy tftp: flash:' commands are expected during patching windows — filter by maintenance calendar or approved change window time ranges
Network monitoring platforms that use SNMP community string changes during scheduled credential rotation ('snmp-server community' commands)
Security hardening scripts that add access-list entries or modify logging configurations as part of baseline enforcement workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSourceName,
  LOGSOURCETYPEID(logsourceid) AS LogSourceType,
  sourceip AS DeviceIP,
  username AS AdminUser,
  CATEGORYNAME(category) AS EventCategory,
  payload AS RawSyslogMessage,
  CASE
    WHEN payload ILIKE '%configure terminal%' OR payload ILIKE '%config t%' OR payload ILIKE '%copy running-config%' OR payload ILIKE '%copy startup-config%' THEN 1
    ELSE 0
  END AS ConfigChange,
  CASE
    WHEN payload ILIKE '%no logging%' OR payload ILIKE '%no ip access-list%' OR payload ILIKE '%no service password-encryption%' OR payload ILIKE '%access-list permit any any%' THEN 1
    ELSE 0
  END AS SecurityDisable,
  CASE
    WHEN payload ILIKE '%boot system%' OR payload ILIKE '%archive download-sw%' OR payload ILIKE '%copy tftp:%' OR payload ILIKE '%copy ftp:%' THEN 1
    ELSE 0
  END AS FirmwareChange,
  CASE
    WHEN payload ILIKE '%username%privilege 15%' OR payload ILIKE '%enable secret%' THEN 1
    ELSE 0
  END AS PrivEsc
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT LOGSOURCETYPEID(logsourceid) FROM events
  WHERE LOGSOURCENAME(logsourceid) ILIKE '%cisco%'
     OR LOGSOURCENAME(logsourceid) ILIKE '%juniper%'
     OR LOGSOURCENAME(logsourceid) ILIKE '%nxos%'
     OR LOGSOURCENAME(logsourceid) ILIKE '%ios%'
     OR LOGSOURCENAME(logsourceid) ILIKE '%asa%'
)
AND (
  payload ILIKE '%configure terminal%' OR
  payload ILIKE '%config t%' OR
  payload ILIKE '%copy running-config%' OR
  payload ILIKE '%copy startup-config%' OR
  payload ILIKE '%no logging%' OR
  payload ILIKE '%no ip access-list%' OR
  payload ILIKE '%no service password-encryption%' OR
  payload ILIKE '%access-list permit any any%' OR
  payload ILIKE '%boot system%' OR
  payload ILIKE '%archive download-sw%' OR
  payload ILIKE '%copy tftp:%' OR
  payload ILIKE '%copy ftp:%' OR
  payload ILIKE '%username%privilege 15%' OR
  payload ILIKE '%enable secret%' OR
  payload ILIKE '%transport input all%' OR
  payload ILIKE '%snmp-server community%' OR
  payload ILIKE '%crypto key generate%' OR
  payload ILIKE '%line vty%'
)
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Log Source: Cisco IOS (LOGSOURCETYPEID 20) QRadar Log Source: Cisco ASA (LOGSOURCETYPEID 168) QRadar Log Source: Cisco NX-OS QRadar Log Source: Juniper Networks JunOS (LOGSOURCETYPEID 332) Syslog forwarded from network devices via UDP/TCP 514 to QRadar Event Collector

Required Tables

events

False Positives

Authorized network engineers performing scheduled maintenance work — validate against QRadar reference set of approved admin source IPs and expected change window timestamps
Automated network configuration backup jobs using TFTP or FTP to archive running configs nightly — 'copy running-config tftp:' is common in backup scripts run by RANCID, Oxidized, or BackupPC
Infrastructure-as-code pipelines (Ansible Tower, Cisco APIC, NSO) that programmatically apply configuration templates and generate bulk CLI command syslog entries during deployment runs
Security hardening automation that systematically applies CIS Cisco IOS benchmarks including ACL changes, logging configuration, and service disabling across a device fleet

Sumo Logic CSE

sql

(_sourceCategory=network/cisco OR _sourceCategory=network/cisco/ios OR _sourceCategory=network/cisco/asa OR _sourceCategory=network/juniper OR _sourceCategory=syslog/network OR _sourceCategory=network/devices)
("configure terminal" OR "config t" OR "copy running-config" OR "copy startup-config" OR "no logging" OR "no ip access-list" OR "boot system" OR "archive download-sw" OR "copy tftp:" OR "copy ftp:" OR "username privilege 15" OR "enable secret" OR "access-list permit any any" OR "no service password-encryption" OR "transport input all" OR "snmp-server community" OR "crypto key generate" OR "line vty")
| parse regex "(?<Device>[\w\-\.]+)\s+\d+:\s+(?<Severity>\w+):\s+(?<SyslogMessage>.+)" nodrop
| if(isEmpty(SyslogMessage), _raw, SyslogMessage) as SyslogMessage
| eval ConfigChange = if(SyslogMessage matches /(?i)(configure terminal|config t|copy running-config|copy startup-config)/, 1, 0)
| eval SecurityDisable = if(SyslogMessage matches /(?i)(no logging|no ip access-list|no service password-encryption|access-list permit any any)/, 1, 0)
| eval FirmwareChange = if(SyslogMessage matches /(?i)(boot system|archive download-sw|copy tftp:|copy ftp:)/, 1, 0)
| eval PrivEsc = if(SyslogMessage matches /(?i)(username.*privilege 15|enable secret)/, 1, 0)
| eval SuspicionScore = ConfigChange + (SecurityDisable * 2) + (FirmwareChange * 3) + (PrivEsc * 2)
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, _sourceCategory, SyslogMessage, ConfigChange, SecurityDisable, FirmwareChange, PrivEsc, SuspicionScore
| sort - SuspicionScore, - _messageTime

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Local File or Syslog source pointed at network device log files Syslog source on Sumo Logic collector receiving UDP/TCP syslog from Cisco IOS/ASA/NX-OS and Juniper JunOS Sumo Logic Cloud Syslog source (hosted endpoint) for direct device forwarding Sumo Logic App for Cisco ASA or Cisco IOS (pre-built _sourceCategory mappings)

Required Tables

_sourceCategory=network/cisco _sourceCategory=network/cisco/ios _sourceCategory=network/cisco/asa _sourceCategory=network/juniper _sourceCategory=syslog/network

False Positives

Legitimate network administrator CLI sessions performing authorized changes — correlate username field against known admin accounts and approved change request windows in your ITSM system
Automated config backup tools (Oxidized, RANCID, Cisco NSO) that execute 'show running-config' and 'copy running-config' on a schedule — filter by known backup system source IPs
Software-defined networking controllers and orchestration platforms (Cisco DNAC, Juniper Apstra) generating bulk configuration commands during network provisioning operations
Routine security hardening scripts applied during quarterly CIS benchmark compliance enforcement that disable weak services and update access control lists across the device fleet

Google Chronicle / SecOps

yaral

rule network_device_cli_t1059_008 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects suspicious network device CLI commands associated with MITRE ATT&CK T1059.008 - Network Device CLI abuse. Monitors for configuration tampering, security control disabling, firmware modification, and privilege escalation commands on Cisco and Juniper network infrastructure."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.008"
    reference = "https://attack.mitre.org/techniques/T1059/008/"
    false_positives = "Authorized maintenance, automated backup tools, configuration management systems"

  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    $e.metadata.product_name = /(?i)(cisco|juniper|ios|nxos|asa|junos)/
    (
      $e.metadata.description = /(?i)(configure terminal|config t)/ or
      $e.metadata.description = /(?i)(copy running-config|copy startup-config)/ or
      $e.metadata.description = /(?i)no logging/ or
      $e.metadata.description = /(?i)no ip access-list/ or
      $e.metadata.description = /(?i)no service password-encryption/ or
      $e.metadata.description = /(?i)access-list permit any any/ or
      $e.metadata.description = /(?i)boot system/ or
      $e.metadata.description = /(?i)(archive download-sw|copy tftp:|copy ftp:)/ or
      $e.metadata.description = /(?i)username.*privilege 15/ or
      $e.metadata.description = /(?i)enable secret/ or
      $e.metadata.description = /(?i)transport input all/ or
      $e.metadata.description = /(?i)snmp-server community/ or
      $e.metadata.description = /(?i)crypto key generate/ or
      $e.network.session_id = /(?i)(config-if|config-line|config-router)/
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle ingestion feed for Cisco IOS syslog (product family: CISCO_IOS) Chronicle ingestion feed for Cisco ASA syslog (product family: CISCO_ASA) Chronicle ingestion feed for Juniper JunOS syslog (product family: JUNIPER_JUNOS) Chronicle Cisco NX-OS log parser (product family: CISCO_NEXUS) Chronicle universal syslog parser with network device vendor detection

Required Tables

UDM events table (Chronicle native storage) Chronicle log ingestion feeds: CISCO_IOS, CISCO_ASA, JUNIPER_JUNOS

False Positives

Authorized IT operations teams performing scheduled firmware upgrades — the 'boot system' and 'archive download-sw' commands will appear during approved maintenance windows; suppress by correlating with Chronicle reference lists of maintenance window time ranges
Network automation platforms (Cisco DNA Center, Juniper Apstra, Ansible Tower) that use CLI-based provisioning and generate legitimate configuration commands at scale — maintain a Chronicle entity context allowlist of known automation controller IP addresses
Security Operations teams executing network device audits, running 'show' commands that may appear adjacent to configuration commands in the same CLI session syslog stream
Periodic credential rotation workflows that update 'enable secret' and 'username' entries as part of PAM (Privileged Access Management) system enforcement cycles

CrowdStrike LogScale (CQL)

cql

#type=syslog OR #type=network-device-log
| facility = /local[67]/i OR host = /cisco|juniper|nxos|ios|asa|junos/i
| message = /configure terminal|config t|copy running-config|copy startup-config|no logging|no ip access-list|no service password-encryption|access-list permit any any|boot system|archive download-sw|copy tftp:|copy ftp:|username.{0,50}privilege 15|enable secret|transport input all|snmp-server community|crypto key generate|line vty/i
| eval ConfigChange := if(match(message, /(?i)(configure terminal|config t|copy running-config|copy startup-config)/), "YES", "NO")
| eval SecurityDisable := if(match(message, /(?i)(no logging|no ip access-list|no service password-encryption|access-list permit any any)/), "YES", "NO")
| eval FirmwareChange := if(match(message, /(?i)(boot system|archive download-sw|copy tftp:|copy ftp:)/), "YES", "NO")
| eval PrivEsc := if(match(message, /(?i)(username.{0,50}privilege 15|enable secret)/), "YES", "NO")
| eval SuspicionScore := (if(ConfigChange=="YES", 1, 0)) + (if(SecurityDisable=="YES", 2, 0)) + (if(FirmwareChange=="YES", 3, 0)) + (if(PrivEsc=="YES", 2, 0))
| where SuspicionScore > 0
| sort(field=SuspicionScore, order=desc)
| table([_time, host, message, ConfigChange, SecurityDisable, FirmwareChange, PrivEsc, SuspicionScore])

high severity medium confidence

Data Sources

LogScale syslog source receiving network device syslogs on UDP/TCP 514 Falcon LogScale Collector configured to tail network device log files from a syslog aggregator CrowdStrike Falcon for Network infrastructure logs forwarded via LogScale Ingest API Third-party syslog aggregator (rsyslog, syslog-ng) forwarding to LogScale HTTP Event Collector

Required Tables

LogScale repository: network-devices (or equivalent syslog repository) LogScale #type=syslog (default field tag from syslog input)

False Positives

Authorized network administrators performing emergency change procedures — if CLI commands originate from known jump hosts or bastion servers in your environment, create a LogScale saved search filter for approved admin source IPs
Automated configuration backup tools (Oxidized, RANCID, netmiko-based scripts) scheduled to copy running-config to TFTP or FTP servers nightly — these will trigger FirmwareChange or ConfigChange categories; suppress by source IP allowlisting
Network provisioning automation (Ansible, Terraform with network providers, Cisco NSO) generating bulk configuration commands during infrastructure-as-code deployment runs — correlate with CI/CD pipeline timestamps to identify automated vs. interactive sessions
Quarterly security hardening sweeps applying CIS Cisco IOS benchmarks that disable password encryption services, update VTY access controls, and modify SNMP community strings fleet-wide as part of compliance remediation

Last updated: 2026-04-17 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Network Device CLI

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections