T1059.008 Microsoft Sentinel · KQL

Detect Network Device CLI in Microsoft Sentinel

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.008 Network Device CLI
Canonical reference
https://attack.mitre.org/techniques/T1059/008/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousCommands = dynamic([
  "copy running-config", "copy startup-config",
  "configure terminal", "config t",
  "no logging", "no ip access-list",
  "ip route", "access-list permit any any",
  "snmp-server community", "enable secret",
  "boot system", "upgrade",
  "debug", "undebug all",
  "crypto key generate", "username privilege 15",
  "line vty", "transport input all",
  "no service password-encryption",
  "archive download-sw", "copy tftp: flash:"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Facility == "local7" or Facility == "local6" or ProcessName has_any ("cisco", "ios", "nxos", "junos")
| where SyslogMessage has_any (SuspiciousCommands)
| extend ConfigChange = SyslogMessage has_any ("configure terminal", "config t", "copy running-config")
| extend SecurityDisable = SyslogMessage has_any ("no logging", "no ip access-list", "no service password-encryption")
| extend FirmwareChange = SyslogMessage has_any ("boot system", "archive download-sw", "copy tftp: flash:")
| extend PrivEsc = SyslogMessage has_any ("username privilege 15", "enable secret")
| project TimeGenerated, Computer, Facility, SyslogMessage,
         ConfigChange, SecurityDisable, FirmwareChange, PrivEsc
| sort by TimeGenerated desc
high severity medium confidence

Detects suspicious network device CLI commands from syslog data in Microsoft Sentinel. Monitors Cisco IOS/NX-OS, Juniper, and other network device syslog messages for configuration changes, security feature disabling, firmware modifications, and privilege escalation. Uses syslog facility local6/local7 commonly used by network devices.

Data Sources

Network Traffic: Network Connection CreationApplication Log: Application Log ContentSyslog

Required Tables

Syslog

False Positives & Tuning

  • Network engineers performing scheduled maintenance windows with configuration changes
  • Automated network management tools (Ansible, NAPALM, Oxidized) making approved configuration backups
  • Firmware upgrades during planned change windows
Download portable Sigma rule (.yml)

Other platforms for T1059.008

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cisco IOS Configuration Change Simulation

    Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.

  2. Test 2Network Device Security Disable Simulation

    Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.

  3. Test 3Network Device Firmware Change Simulation

    Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1542.004ROMMONkitT1601.001Patch System ImageT1601.002Downgrade System ImageT1556Modify Authentication ProcessT1557Adversary-in-the-MiddleT1562.001Disable or Modify ToolsT1021.004SSH

Same Tactic: Execution

Popular Detections