DET0142: Behavioral Detection of CLI Abuse on Network Devices
This detection strategy matters because command-line activity on network devices is often how legitimate administrators run the business—and also how malic...
Analyst context for executives and security teams
This detection strategy matters because command-line activity on network devices is often how legitimate administrators run the business—and also how malicious or unauthorized changes could be executed. Even though MITRE provides no detailed detection logic for DET0142, its relationship to Network Device CLI abuse means leaders should treat network-device command telemetry as a resilience and audit priority, not just a SOC nice-to-have.
Executive priority
Prioritize confirming whether critical network devices produce usable CLI/session/change evidence and whether the SOC can review it during an incident. The business decision value is continuity: routers, switches, firewalls, and similar infrastructure can affect access, segmentation, and service availability. This object is also relevant to compliance evidence where organizations must prove administrative actions are logged and reviewed.
Technical view
DET0142 is a detection strategy for behavioral detection of CLI abuse on network devices and detects ATT&CK technique T1059.008, Network Device CLI, under Execution. Because the official description and detection text are not supplied, teams should validate coverage around administrative command execution patterns, privilege-level use, configuration changes, diagnostic commands, and scripted or automated CLI activity on network devices. Detection engineering should separate expected administrator workflows from unusual timing, source, account, command sequence, or device-scope behavior.
Likely telemetry
- Network device CLI command logs, where available
- Administrator login/session records for network devices
- Configuration change logs
- AAA, TACACS+, RADIUS, or equivalent authentication and authorization records if used locally
- Device syslog or management-plane logs
Detection direction
- Confirm which network devices actually log CLI commands versus only logins or configuration commits.
- Baseline normal administrator, automation, and maintenance-window behavior before alerting on deviations.
- Correlate CLI activity with authentication source, account identity, device role, time of day, and approved change tickets.
- Tune for high-risk behavioral context such as unusual accounts, unusual source locations, unexpected privilege level, broad device fan-out, or commands inconsistent with the device role.
- Account for false positives from legitimate automation, emergency troubleshooting, and scheduled maintenance.
Mitigation priorities
- Establish reliable centralized logging for network-device administrative access and command/change activity where supported.
- Restrict and review administrative access paths to network devices, including privileged CLI access.
- Use role-appropriate permissions so users and automation accounts have only the CLI capabilities required.
- Align monitoring with formal change-management processes so unapproved CLI activity is easier to triage.
- Test incident response procedures for collecting and preserving network-device logs during suspected misuse.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection content provided. The most useful relationship context is that it detects T1059.008, Network Device CLI, which is an Execution technique on Network Devices. Glexia’s take therefore focuses on validation questions, telemetry readiness, and defensive operating model considerations rather than specific detection rules.
Platforms and tactics are not specified on the detection-strategy object itself, and no official detection analytics are supplied. Any assessment of coverage requires local evidence about device types, logging capabilities, administrative workflows, identity controls, and SIEM ingestion.
Behavioral Detection of CLI Abuse on Network Devices
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.008 | Network Device CLI Sub-technique | This object detects Network Device CLI. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a58ee73ae108… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0142Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.