Detect Network Device CLI in Splunk
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.008 Network Device CLI
- Canonical reference
- https://attack.mitre.org/techniques/T1059/008/
SPL Detection Query
index=network sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="juniper:junos"
("configure terminal" OR "config t" OR "copy running-config" OR "no logging" OR "no ip access-list" OR "boot system" OR "archive download-sw" OR "copy tftp:" OR "username privilege 15" OR "enable secret" OR "access-list permit any any" OR "no service password-encryption" OR "transport input all")
| eval ConfigChange=if(match(_raw, "(configure terminal|config t|copy running-config|copy startup-config)"), 1, 0)
| eval SecurityDisable=if(match(_raw, "(no logging|no ip access-list|no service password-encryption|access-list permit any any)"), 1, 0)
| eval FirmwareChange=if(match(_raw, "(boot system|archive download-sw|copy tftp:|copy ftp:)"), 1, 0)
| eval PrivEsc=if(match(_raw, "(username.*privilege 15|enable secret)"), 1, 0)
| eval SuspicionScore=ConfigChange + SecurityDisable*2 + FirmwareChange*3 + PrivEsc*2
| where SuspicionScore > 0
| table _time, host, sourcetype, _raw, ConfigChange, SecurityDisable, FirmwareChange, PrivEsc, SuspicionScore
| sort - SuspicionScore, - _timeDetects suspicious network device CLI commands from syslog, Cisco IOS, ASA, and Juniper JunOS sourcetypes. Evaluates for configuration changes, security feature disabling, firmware modifications, and privilege escalation. Firmware changes weighted highest (3x) due to potential for persistent implant installation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Network engineers performing scheduled maintenance with configuration changes
- Automated network management tools (Ansible, NAPALM, Oxidized) making approved backups
- Firmware upgrades during planned change windows
Other platforms for T1059.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Configuration Change Simulation
Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.
- Test 2Network Device Security Disable Simulation
Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.
- Test 3Network Device Firmware Change Simulation
Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.
References (5)
- https://attack.mitre.org/techniques/T1059/008/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mandiant.com/resources/blog/synful-knock-cisco
Unlock Pro Content
Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.