Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.
Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or SSH.
Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution)
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Execution PreventionM1038
TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - TACACS)
Privileged Account ManagementM1026
Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization(Citation: Cisco IOS Software Integrity Assurance - AAA) (Cit
User Account ManagementM1018
Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions users can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups so that only authorized users can perform configuration changes. (Citation: Cisco IOS Software Integrity Assurance - AAA)
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S9013 | DRYHOOK | Malware | [DRYHOOK](https://attack.mitre.org/software/S9013) has the ability to interact with Ivanti Connect Secure environments and to modify system components... |
| S1186 | Line Dancer | Malware | [Line Dancer](https://attack.mitre.org/software/S1186) can execute native commands in networking device command line interfaces.(Citation: Cisco Arcan... |
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has leveraged native commands associated with the compromised network appliance to execute code.(C... |
Related CWE Weaknesses
References
- Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.
- Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1059.008 (Network Device CLI)?
T1059.008 is a MITRE ATT&CK technique named 'Network Device CLI'. It belongs to the Execution tactic(s). Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administr...
How can T1059.008 be detected?
Detection of T1059.008 (Network Device CLI) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.008?
There are 3 documented mitigations for T1059.008. Key mitigations include: Execution Prevention, Privileged Account Management, User Account Management.
Which threat groups use T1059.008?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.