T1059.008 Network Device CLI Mappings

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.

Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).

Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1059.008 Network Device CLI
AC-3 Access Enforcement Protects T1059.008 Network Device CLI
AC-5 Separation of Duties Protects T1059.008 Network Device CLI
AC-6 Least Privilege Protects T1059.008 Network Device CLI
CM-5 Access Restrictions for Change Protects T1059.008 Network Device CLI
CM-6 Configuration Settings Protects T1059.008 Network Device CLI
IA-2 Identification and Authentication (organizational Users) Protects T1059.008 Network Device CLI
IA-8 Identification and Authentication (non-organizational Users) Protects T1059.008 Network Device CLI
SI-10 Information Input Validation Protects T1059.008 Network Device CLI
SI-7 Software, Firmware, and Information Integrity Protects T1059.008 Network Device CLI