MITRE ATT&CK Technique
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-20T00:09:33.072Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse scripting or built-in command line '
'interpreters (CLI) on network devices to execute malicious '
'command and payloads. The CLI is the primary means through '
'which users and administrators interact with the device in '
'order to view system information, modify device operations, '
'or perform diagnostic and administrative functions. CLIs '
'typically contain various permission levels required for '
'different commands. \n'
'\n'
'Scripting interpreters automate tasks and extend '
'functionality beyond the command set included in the network '
'OS. The CLI and scripting interpreter are accessible through '
'a direct console connection, or through remote means, such as '
'telnet or '
'[SSH](https://attack.mitre.org/techniques/T1021/004).\n'
'\n'
'Adversaries can use the network CLI to change how network '
'devices behave and operate. The CLI may be used to manipulate '
'traffic flows to intercept or manipulate data, modify startup '
'configuration parameters to load malicious system software, '
'or to disable security features or logging to avoid '
'detection.(Citation: Cisco Synful Knock Evolution)',
'external_references': [{'external_id': 'T1059.008',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1059/008'},
{'description': 'Cisco. (n.d.). Cisco IOS Software '
'Integrity Assurance - Command '
'History. Retrieved October 21, 2020.',
'source_name': 'Cisco IOS Software Integrity '
'Assurance - Command History',
'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23'},
{'description': 'Graham Holmes. (2015, October 8). '
'Evolution of attacks on Cisco IOS '
'devices. Retrieved October 19, 2020.',
'source_name': 'Cisco Synful Knock Evolution',
'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices'}],
'id': 'attack-pattern--818302b2-d640-477b-bf88-873120ce85c4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:02.287Z',
'name': 'Network Device CLI',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Network Devices'],
'x_mitre_version': '1.2'}