Skip to content

DET0142 Behavioral Detection of CLI Abuse on Network Devices

Item Value
ID DET0142
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1059.008 (Network Device CLI)

Analytics

Network Devices

AN0399

Detects unauthorized or anomalous use of command-line interfaces (CLI) on network devices. Focuses on remote access sessions (e.g., SSH/Telnet), privilege escalation within CLI sessions, execution of high-risk commands (e.g., config replace, terminal monitor, no logging), and configuration changes outside of approved windows.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog command_exec
Network Traffic Content (DC0085) NSM:Flow remote CLI session detection
User Account Authentication (DC0002) networkdevice:syslog authorization/accounting logs
Mutable Elements
Field Description
TimeWindow Config changes made outside of maintenance windows are more suspicious.
UserContext Unexpected CLI activity by service accounts or users not assigned to manage network devices.
CommandPattern Regex or keyword match on dangerous or unusual commands (e.g., ‘no logging’, ‘reload’, ‘copy tftp’, ‘config replace’).
SourceIP Remote CLI sessions originating from untrusted networks or jump hosts.
SessionDuration Abnormally short or long SSH/Telnet CLI sessions compared to baseline.