Detect Network Device CLI in IBM QRadar
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.008 Network Device CLI
- Canonical reference
- https://attack.mitre.org/techniques/T1059/008/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSourceName,
LOGSOURCETYPEID(logsourceid) AS LogSourceType,
sourceip AS DeviceIP,
username AS AdminUser,
CATEGORYNAME(category) AS EventCategory,
payload AS RawSyslogMessage,
CASE
WHEN payload ILIKE '%configure terminal%' OR payload ILIKE '%config t%' OR payload ILIKE '%copy running-config%' OR payload ILIKE '%copy startup-config%' THEN 1
ELSE 0
END AS ConfigChange,
CASE
WHEN payload ILIKE '%no logging%' OR payload ILIKE '%no ip access-list%' OR payload ILIKE '%no service password-encryption%' OR payload ILIKE '%access-list permit any any%' THEN 1
ELSE 0
END AS SecurityDisable,
CASE
WHEN payload ILIKE '%boot system%' OR payload ILIKE '%archive download-sw%' OR payload ILIKE '%copy tftp:%' OR payload ILIKE '%copy ftp:%' THEN 1
ELSE 0
END AS FirmwareChange,
CASE
WHEN payload ILIKE '%username%privilege 15%' OR payload ILIKE '%enable secret%' THEN 1
ELSE 0
END AS PrivEsc
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
SELECT LOGSOURCETYPEID(logsourceid) FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%cisco%'
OR LOGSOURCENAME(logsourceid) ILIKE '%juniper%'
OR LOGSOURCENAME(logsourceid) ILIKE '%nxos%'
OR LOGSOURCENAME(logsourceid) ILIKE '%ios%'
OR LOGSOURCENAME(logsourceid) ILIKE '%asa%'
)
AND (
payload ILIKE '%configure terminal%' OR
payload ILIKE '%config t%' OR
payload ILIKE '%copy running-config%' OR
payload ILIKE '%copy startup-config%' OR
payload ILIKE '%no logging%' OR
payload ILIKE '%no ip access-list%' OR
payload ILIKE '%no service password-encryption%' OR
payload ILIKE '%access-list permit any any%' OR
payload ILIKE '%boot system%' OR
payload ILIKE '%archive download-sw%' OR
payload ILIKE '%copy tftp:%' OR
payload ILIKE '%copy ftp:%' OR
payload ILIKE '%username%privilege 15%' OR
payload ILIKE '%enable secret%' OR
payload ILIKE '%transport input all%' OR
payload ILIKE '%snmp-server community%' OR
payload ILIKE '%crypto key generate%' OR
payload ILIKE '%line vty%'
)
LAST 24 HOURS
ORDER BY starttime DESCDetects suspicious network device CLI command execution (T1059.008) by querying QRadar for syslog events originating from Cisco and Juniper network infrastructure. Categorizes events into ConfigChange, SecurityDisable, FirmwareChange, and PrivEsc buckets matching the ArcaneDoor and Line Dancer threat actor CLI abuse patterns. Filters on log source names containing network device vendor identifiers.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network engineers performing scheduled maintenance work — validate against QRadar reference set of approved admin source IPs and expected change window timestamps
- Automated network configuration backup jobs using TFTP or FTP to archive running configs nightly — 'copy running-config tftp:' is common in backup scripts run by RANCID, Oxidized, or BackupPC
- Infrastructure-as-code pipelines (Ansible Tower, Cisco APIC, NSO) that programmatically apply configuration templates and generate bulk CLI command syslog entries during deployment runs
- Security hardening automation that systematically applies CIS Cisco IOS benchmarks including ACL changes, logging configuration, and service disabling across a device fleet
Other platforms for T1059.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Configuration Change Simulation
Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.
- Test 2Network Device Security Disable Simulation
Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.
- Test 3Network Device Firmware Change Simulation
Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.
References (5)
- https://attack.mitre.org/techniques/T1059/008/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mandiant.com/resources/blog/synful-knock-cisco
Unlock Pro Content
Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.