Detect Network Device CLI in CrowdStrike LogScale
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.008 Network Device CLI
- Canonical reference
- https://attack.mitre.org/techniques/T1059/008/
LogScale Detection Query
#type=syslog OR #type=network-device-log
| facility = /local[67]/i OR host = /cisco|juniper|nxos|ios|asa|junos/i
| message = /configure terminal|config t|copy running-config|copy startup-config|no logging|no ip access-list|no service password-encryption|access-list permit any any|boot system|archive download-sw|copy tftp:|copy ftp:|username.{0,50}privilege 15|enable secret|transport input all|snmp-server community|crypto key generate|line vty/i
| eval ConfigChange := if(match(message, /(?i)(configure terminal|config t|copy running-config|copy startup-config)/), "YES", "NO")
| eval SecurityDisable := if(match(message, /(?i)(no logging|no ip access-list|no service password-encryption|access-list permit any any)/), "YES", "NO")
| eval FirmwareChange := if(match(message, /(?i)(boot system|archive download-sw|copy tftp:|copy ftp:)/), "YES", "NO")
| eval PrivEsc := if(match(message, /(?i)(username.{0,50}privilege 15|enable secret)/), "YES", "NO")
| eval SuspicionScore := (if(ConfigChange=="YES", 1, 0)) + (if(SecurityDisable=="YES", 2, 0)) + (if(FirmwareChange=="YES", 3, 0)) + (if(PrivEsc=="YES", 2, 0))
| where SuspicionScore > 0
| sort(field=SuspicionScore, order=desc)
| table([_time, host, message, ConfigChange, SecurityDisable, FirmwareChange, PrivEsc, SuspicionScore])CrowdStrike LogScale (Humio) detection for MITRE ATT&CK T1059.008 Network Device CLI abuse. Ingests syslog from Cisco and Juniper network devices via LogScale syslog forwarder or Falcon LogScale Collector and detects suspicious CLI command patterns. Applies weighted suspicion scoring identical to the SPL baseline: firmware changes (3 pts), security disabling and privilege escalation (2 pts), configuration changes (1 pt). Designed for environments routing network device syslog into LogScale alongside endpoint Falcon telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network administrators performing emergency change procedures — if CLI commands originate from known jump hosts or bastion servers in your environment, create a LogScale saved search filter for approved admin source IPs
- Automated configuration backup tools (Oxidized, RANCID, netmiko-based scripts) scheduled to copy running-config to TFTP or FTP servers nightly — these will trigger FirmwareChange or ConfigChange categories; suppress by source IP allowlisting
- Network provisioning automation (Ansible, Terraform with network providers, Cisco NSO) generating bulk configuration commands during infrastructure-as-code deployment runs — correlate with CI/CD pipeline timestamps to identify automated vs. interactive sessions
- Quarterly security hardening sweeps applying CIS Cisco IOS benchmarks that disable password encryption services, update VTY access controls, and modify SNMP community strings fleet-wide as part of compliance remediation
Other platforms for T1059.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Configuration Change Simulation
Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.
- Test 2Network Device Security Disable Simulation
Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.
- Test 3Network Device Firmware Change Simulation
Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.
References (5)
- https://attack.mitre.org/techniques/T1059/008/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mandiant.com/resources/blog/synful-knock-cisco
Unlock Pro Content
Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.