T1059.008 Elastic Security · Elastic

Detect Network Device CLI in Elastic Security

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.008 Network Device CLI
Canonical reference
https://attack.mitre.org/techniques/T1059/008/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  event.dataset : ("network.cisco_ios", "network.cisco_asa", "network.juniper_junos", "network.cisco_nxos") or
  tags : ("cisco", "juniper", "network-device", "network-syslog") or
  log.syslog.facility.name : ("local6", "local7")
) and (
  message : "*configure terminal*" or
  message : "*config t*" or
  message : "*copy running-config*" or
  message : "*copy startup-config*" or
  message : "*no logging*" or
  message : "*no ip access-list*" or
  message : "*no service password-encryption*" or
  message : "*access-list permit any any*" or
  message : "*boot system*" or
  message : "*archive download-sw*" or
  message : "*copy tftp:*" or
  message : "*copy ftp:*" or
  message : "*username*privilege 15*" or
  message : "*enable secret*" or
  message : "*transport input all*" or
  message : "*snmp-server community*" or
  message : "*crypto key generate*" or
  message : "*line vty*"
)
high severity medium confidence

Detects suspicious network device CLI commands associated with MITRE ATT&CK T1059.008. Monitors syslog ingested from Cisco IOS/ASA/NX-OS and Juniper JunOS devices for commands indicative of configuration tampering, security control disabling, firmware modification, and privilege escalation. Covers ArcaneDoor/Line Dancer-style CLI abuse patterns.

Data Sources

Cisco IOS syslog (Filebeat cisco module or direct UDP syslog input)Cisco ASA syslog (Logstash or Elastic Agent network integration)Juniper JunOS syslog (Elastic Agent or Filebeat syslog input)Cisco NX-OS syslog (Filebeat or custom Logstash pipeline)Generic syslog with facility local6/local7 (network device convention)

Required Tables

logs-network.cisco_ios-*logs-network.cisco_asa-*logs-network.juniper_junos-*logs-system.syslog-*logs-*

False Positives & Tuning

  • Scheduled maintenance windows where administrators perform planned configuration changes such as ACL updates, route additions, or software upgrades — correlate with approved change tickets
  • Automated network configuration management tools (Ansible, NAPALM, Cisco DNA Center, Netmiko scripts) that regularly push configs and generate CLI command syslog entries during authorized automation runs
  • Routine firmware upgrade cycles where 'boot system' and 'copy tftp: flash:' commands are expected during patching windows — filter by maintenance calendar or approved change window time ranges
  • Network monitoring platforms that use SNMP community string changes during scheduled credential rotation ('snmp-server community' commands)
  • Security hardening scripts that add access-list entries or modify logging configurations as part of baseline enforcement workflows
Download portable Sigma rule (.yml)

Other platforms for T1059.008

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cisco IOS Configuration Change Simulation

    Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.

  2. Test 2Network Device Security Disable Simulation

    Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.

  3. Test 3Network Device Firmware Change Simulation

    Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1542.004ROMMONkitT1601.001Patch System ImageT1601.002Downgrade System ImageT1556Modify Authentication ProcessT1557Adversary-in-the-MiddleT1562.001Disable or Modify ToolsT1021.004SSH

Same Tactic: Execution

Popular Detections