Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.
Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).
Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1059.008 | Network Device CLI |
AC-3 | Access Enforcement | Protects | T1059.008 | Network Device CLI |
AC-5 | Separation of Duties | Protects | T1059.008 | Network Device CLI |
AC-6 | Least Privilege | Protects | T1059.008 | Network Device CLI |
CM-5 | Access Restrictions for Change | Protects | T1059.008 | Network Device CLI |
CM-6 | Configuration Settings | Protects | T1059.008 | Network Device CLI |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1059.008 | Network Device CLI |
IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1059.008 | Network Device CLI |
SI-10 | Information Input Validation | Protects | T1059.008 | Network Device CLI |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1059.008 | Network Device CLI |