T1059.008: Network Device CLI
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.
Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or SSH.
Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.[1]
Analyst context for executives and security teams
Network Device CLI abuse matters because routers, switches, and security appliances often sit in the path of critical business traffic. If an adversary can execute commands through a device CLI or supported scripting interpreter, they may change device behavior, alter traffic flows, modify startup configuration, or disable logging and security features. For leaders, this is not just an endpoint execution issue; it is a resilience, visibility, and change-control issue for the infrastructure that carries the business.
Executive priority
Prioritize this technique where network devices support remote administration or scripting and where outages, traffic manipulation, or loss of logging would materially affect operations. Executives should ask whether privileged access to network devices is governed with the same rigor as servers and cloud consoles, whether command history and configuration evidence are retained for incident response and audit, and whether the SOC can distinguish approved network administration from suspicious CLI activity. ATT&CK relationship context also shows relevance to network-device malware and campaigns, including infrastructure-impacting scenarios, so coverage should be considered in business continuity and cyber-physical risk planning where network devices support operational environments.
Technical view
For SOC, detection engineering, and IR teams, validate visibility around execution through network device CLIs on the Network Devices platform under the Execution tactic. Official ATT&CK detection text is not provided, but the object references CLI access through direct console, telnet, and SSH, and the relationship context includes DET0142, Behavioral Detection of CLI Abuse on Network Devices. Practical validation should focus on command history, administrative authentication, privilege level changes, configuration changes, startup configuration modifications, traffic-flow changes, and events indicating logging or security features were disabled. Treat this as a command-and-scripting-interpreter problem specialized to network operating systems and appliances, not only as traditional host shell monitoring.
Likely telemetry
- Network device command history where available
- AAA, authentication, authorization, and accounting records for network device administration
- SSH, telnet, and direct console access logs
- Privilege level changes and administrative role usage
- Running and startup configuration change records
Detection direction
- Map DET0142-style behavioral detection to local network device families and management workflows rather than relying on a generic endpoint command-line model.
- Baseline normal administrative commands, maintenance windows, source locations, and privileged users so unusual CLI activity can be investigated without overwhelming analysts with routine operations.
- Correlate CLI commands with authentication events, privilege escalation, configuration diffs, and change-management records.
- Pay special attention to commands or sequences that modify startup configuration, manipulate traffic flows, disable logging, or change security features, because these behaviors are explicitly described by ATT&CK for this technique.
- Validate whether command history is actually retained and centrally collected; many environments assume network-device visibility exists when it is incomplete, local-only, or overwritten.
Mitigation priorities
- Start with User Account Management: ensure network device accounts have defined owners, lifecycle controls, timely deactivation, and appropriate access scope.
- Strengthen Privileged Account Management: restrict administrative roles, enforce least privilege, and ensure privileged actions are attributable and logged.
- Limit management access paths to approved methods and administrators; the ATT&CK object specifically notes console, telnet, and SSH as CLI access routes.
- Where supported by the device or network OS, apply Execution Prevention concepts to restrict unauthorized scripts, interpreters, or code execution paths.
- Pair technical controls with configuration backup, command logging, and change review so responders can determine what changed and restore trusted device behavior.
Analyst notes and limits
This take is based on ATT&CK T1059.008 Network Device CLI, its official description, external references, and supplied relationships. Relationship context includes mitigation mappings to User Account Management, Privileged Account Management, and Execution Prevention; a detection strategy named Behavioral Detection of CLI Abuse on Network Devices; parent technique T1059 Command and Scripting Interpreter; and campaign/software relationships involving network-device activity. These relationships support prioritizing identity governance, privileged access, command telemetry, and configuration integrity for network infrastructure.
Official ATT&CK detection guidance for this sub-technique is not provided in the supplied object. Specific commands, device vendors, log fields, and detection logic must be validated against the organization’s actual network devices, operating systems, management protocols, and logging architecture. The supplied relationships indicate that campaigns and software use this technique, but they do not by themselves establish local exposure, active exploitation, or guaranteed detection coverage.
Network Device CLI
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.
Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or SSH.
Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter | This object subtechnique of Command and Scripting Interpreter. |
Groups, software, and campaigns
S9013: DRYHOOK
S1186: Line Dancer
Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.[1][2]
S9014: PHASEJAM
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
C0056: RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | be5f65d971e0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco Synful Knock Evolution
Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
Open source URL -
[2]
Cisco IOS Software Integrity Assurance - Command History
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.
Open source URL -
[3]
mitre-attack T1059.008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.