Detect Network Device CLI in Google Chronicle
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.008 Network Device CLI
- Canonical reference
- https://attack.mitre.org/techniques/T1059/008/
YARA-L Detection Query
rule network_device_cli_t1059_008 {
meta:
author = "Argus Detection Platform"
description = "Detects suspicious network device CLI commands associated with MITRE ATT&CK T1059.008 - Network Device CLI abuse. Monitors for configuration tampering, security control disabling, firmware modification, and privilege escalation commands on Cisco and Juniper network infrastructure."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "T1059.008"
reference = "https://attack.mitre.org/techniques/T1059/008/"
false_positives = "Authorized maintenance, automated backup tools, configuration management systems"
events:
$e.metadata.event_type = "NETWORK_UNCATEGORIZED"
$e.metadata.product_name = /(?i)(cisco|juniper|ios|nxos|asa|junos)/
(
$e.metadata.description = /(?i)(configure terminal|config t)/ or
$e.metadata.description = /(?i)(copy running-config|copy startup-config)/ or
$e.metadata.description = /(?i)no logging/ or
$e.metadata.description = /(?i)no ip access-list/ or
$e.metadata.description = /(?i)no service password-encryption/ or
$e.metadata.description = /(?i)access-list permit any any/ or
$e.metadata.description = /(?i)boot system/ or
$e.metadata.description = /(?i)(archive download-sw|copy tftp:|copy ftp:)/ or
$e.metadata.description = /(?i)username.*privilege 15/ or
$e.metadata.description = /(?i)enable secret/ or
$e.metadata.description = /(?i)transport input all/ or
$e.metadata.description = /(?i)snmp-server community/ or
$e.metadata.description = /(?i)crypto key generate/ or
$e.network.session_id = /(?i)(config-if|config-line|config-router)/
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting MITRE ATT&CK T1059.008 Network Device CLI abuse. Matches UDM events of type NETWORK_UNCATEGORIZED from Cisco and Juniper product families where the event description contains suspicious CLI commands. Covers the full range of techniques observed in ArcaneDoor and Line Dancer campaigns: configuration exfiltration, logging suppression, ACL manipulation, firmware tampering, and administrative privilege escalation.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT operations teams performing scheduled firmware upgrades — the 'boot system' and 'archive download-sw' commands will appear during approved maintenance windows; suppress by correlating with Chronicle reference lists of maintenance window time ranges
- Network automation platforms (Cisco DNA Center, Juniper Apstra, Ansible Tower) that use CLI-based provisioning and generate legitimate configuration commands at scale — maintain a Chronicle entity context allowlist of known automation controller IP addresses
- Security Operations teams executing network device audits, running 'show' commands that may appear adjacent to configuration commands in the same CLI session syslog stream
- Periodic credential rotation workflows that update 'enable secret' and 'username' entries as part of PAM (Privileged Access Management) system enforcement cycles
Other platforms for T1059.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Configuration Change Simulation
Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.
- Test 2Network Device Security Disable Simulation
Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.
- Test 3Network Device Firmware Change Simulation
Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.
References (5)
- https://attack.mitre.org/techniques/T1059/008/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mandiant.com/resources/blog/synful-knock-cisco
Unlock Pro Content
Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.