Detect Network Device CLI in Sumo Logic CSE
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious commands and payloads. The CLI is the primary means through which users and administrators interact with network devices to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels. Adversaries can use the network CLI to change how devices behave, manipulate traffic flows to intercept data, modify startup configuration, load malicious firmware, or disable security features. The ArcaneDoor campaign (Line Dancer malware) demonstrated sophisticated CLI abuse on Cisco ASA devices.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.008 Network Device CLI
- Canonical reference
- https://attack.mitre.org/techniques/T1059/008/
Sumo Detection Query
(_sourceCategory=network/cisco OR _sourceCategory=network/cisco/ios OR _sourceCategory=network/cisco/asa OR _sourceCategory=network/juniper OR _sourceCategory=syslog/network OR _sourceCategory=network/devices)
("configure terminal" OR "config t" OR "copy running-config" OR "copy startup-config" OR "no logging" OR "no ip access-list" OR "boot system" OR "archive download-sw" OR "copy tftp:" OR "copy ftp:" OR "username privilege 15" OR "enable secret" OR "access-list permit any any" OR "no service password-encryption" OR "transport input all" OR "snmp-server community" OR "crypto key generate" OR "line vty")
| parse regex "(?<Device>[\w\-\.]+)\s+\d+:\s+(?<Severity>\w+):\s+(?<SyslogMessage>.+)" nodrop
| if(isEmpty(SyslogMessage), _raw, SyslogMessage) as SyslogMessage
| eval ConfigChange = if(SyslogMessage matches /(?i)(configure terminal|config t|copy running-config|copy startup-config)/, 1, 0)
| eval SecurityDisable = if(SyslogMessage matches /(?i)(no logging|no ip access-list|no service password-encryption|access-list permit any any)/, 1, 0)
| eval FirmwareChange = if(SyslogMessage matches /(?i)(boot system|archive download-sw|copy tftp:|copy ftp:)/, 1, 0)
| eval PrivEsc = if(SyslogMessage matches /(?i)(username.*privilege 15|enable secret)/, 1, 0)
| eval SuspicionScore = ConfigChange + (SecurityDisable * 2) + (FirmwareChange * 3) + (PrivEsc * 2)
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, _sourceCategory, SyslogMessage, ConfigChange, SecurityDisable, FirmwareChange, PrivEsc, SuspicionScore
| sort - SuspicionScore, - _messageTimeDetects MITRE ATT&CK T1059.008 Network Device CLI abuse by searching Sumo Logic for syslog messages from network infrastructure containing suspicious CLI commands. Applies a weighted suspicion scoring model: firmware modifications (score 3) are highest risk, followed by security control disabling and privilege escalation (score 2), with configuration changes as baseline (score 1). Matches ArcaneDoor/Line Dancer threat actor TTPs targeting Cisco ASA devices.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network administrator CLI sessions performing authorized changes — correlate username field against known admin accounts and approved change request windows in your ITSM system
- Automated config backup tools (Oxidized, RANCID, Cisco NSO) that execute 'show running-config' and 'copy running-config' on a schedule — filter by known backup system source IPs
- Software-defined networking controllers and orchestration platforms (Cisco DNAC, Juniper Apstra) generating bulk configuration commands during network provisioning operations
- Routine security hardening scripts applied during quarterly CIS benchmark compliance enforcement that disable weak services and update access control lists across the device fleet
Other platforms for T1059.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Configuration Change Simulation
Expected signal: Syslog message with facility local7 and the CONFIG_I message tag. If forwarded to SIEM, this appears as a network device configuration change event.
- Test 2Network Device Security Disable Simulation
Expected signal: Syslog message with facility local7 containing 'no logging'. This simulates the alert trigger without requiring access to actual network equipment.
- Test 3Network Device Firmware Change Simulation
Expected signal: Syslog message with facility local7 containing 'copy tftp: flash:' firmware download pattern.
References (5)
- https://attack.mitre.org/techniques/T1059/008/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mandiant.com/resources/blog/synful-knock-cisco
Unlock Pro Content
Get the full detection package for T1059.008 including response playbook, investigation guide, and atomic red team tests.