Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.
Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or SSH.
Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.[1]
| ID | Name | Description |
|---|---|---|
| C0063 | 2025 Poland Wiper Attacks |
During the 2025 Poland Wiper Attacks, the adversaries leveraged the native CLI of the targeted FortiGate device.[2] |
| S9013 | DRYHOOK |
DRYHOOK has the ability to interact with Ivanti Connect Secure environments and to modify system components.[3][4] |
| S1186 | Line Dancer |
Line Dancer can execute native commands in networking device command line interfaces.[5][6] |
| S9014 | PHASEJAM |
PHASEJAM has leveraged native commands associated with the compromised network appliance to execute code.[3] |
| C0056 | RedPenguin |
During RedPenguin, UNC3886 accessed the Junos OS CLI on targeted devices.[7][8] |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. [9] |
| M1026 | Privileged Account Management |
Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization[10] [9] |
| M1018 | User Account Management |
Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions users can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups so that only authorized users can perform configuration changes. [10] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0142 | Behavioral Detection of CLI Abuse on Network Devices | AN0399 |
Detects unauthorized or anomalous use of command-line interfaces (CLI) on network devices. Focuses on remote access sessions (e.g., SSH/Telnet), privilege escalation within CLI sessions, execution of high-risk commands (e.g., config replace, terminal monitor, no logging), and configuration changes outside of approved windows. |