T1584.008

Network Devices

Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.

Microsoft Sentinel / Defender

kusto

// T1584.008 — Compromise Infrastructure: Network Devices
// Detects inbound connections and authentication events from IPs associated with
// known compromised SOHO/network device infrastructure via threat intelligence correlation
let ThreatIntelIPs = ThreatIntelligenceIndicator
| where TimeGenerated > ago(14d)
| where Active == true
| where isnotempty(NetworkIP)
| where Tags has_any ("ORB", "SOHO", "VoltTyphoon", "APT28", "APT31", "Leviathan", "RouterBotnet", "EdgeDevice", "CompromisedRouter")
    or Description has_any ("SOHO", "compromised router", "network device", "ORB network", "operational relay", "relay box")
| project NetworkIP, TIDescription=Description, TITags=Tags, IndicatorType, ExpirationDateTime;
// Authentication events from TI-matched IPs
let AuthFromTI = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType in (0, 50074, 50076, 50079)
| join kind=inner ThreatIntelIPs on $left.IPAddress == $right.NetworkIP
| project TimeGenerated,
         EventType = "Authentication_From_CompromisedNetworkDevice",
         UserPrincipalName,
         SourceIP = IPAddress,
         AppDisplayName,
         LocationCity = tostring(LocationDetails.city),
         LocationCountry = tostring(LocationDetails.countryOrRegion),
         TIDescription,
         TITags,
         AuthResult = ResultType,
         AuthResultDescription = ResultDescription;
// Inbound network connections from TI-matched IPs
let NetFromTI = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("InboundConnectionAccepted", "ConnectionSuccess")
| where RemoteIPType == "Public"
| join kind=inner ThreatIntelIPs on $left.RemoteIP == $right.NetworkIP
| project TimeGenerated = Timestamp,
         EventType = "NetworkConnection_From_CompromisedNetworkDevice",
         DeviceName,
         SourceIP = RemoteIP,
         DestinationPort = LocalPort,
         ActionType,
         ProcessName = InitiatingProcessFileName,
         TIDescription,
         TITags;
// Firewall/CommonSecurityLog events from TI-matched IPs
let FWFromTI = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where isnotempty(SourceIP)
| join kind=inner ThreatIntelIPs on $left.SourceIP == $right.NetworkIP
| project TimeGenerated,
         EventType = "FirewallEvent_From_CompromisedNetworkDevice",
         DeviceName = DeviceName,
         SourceIP,
         DestinationPort,
         DestinationIP,
         DeviceAction,
         ApplicationProtocol,
         TIDescription,
         TITags;
union AuthFromTI, NetFromTI, FWFromTI
| sort by TimeGenerated desc

high severity low confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Connection Creation User Account: User Account Authentication Microsoft Sentinel Threat Intelligence Firewall: Network Connection

Required Tables

ThreatIntelligenceIndicator SigninLogs DeviceNetworkEvents CommonSecurityLog

False Positives

Legitimate remote workers on residential ISP connections where the home IP has been historically flagged as SOHO infrastructure — IP reassignment by ISPs means previously-compromised device IPs are routinely reassigned to clean users
Commercial VPN providers and residential proxy services that route traffic through the same IP ranges as compromised SOHO devices, particularly if the VPN uses residential ISP IP space
Threat intelligence staleness — indicators for SOHO infrastructure are frequently stale within weeks as adversaries rotate through devices; matches on expired or low-confidence indicators produce significant noise
Volt Typhoon specifically selects compromised devices geographically co-located near the victim to defeat geo-anomaly detection, meaning flagged IPs may appear to be legitimate local traffic from expected residential ranges
Security researchers and red teams using SOHO lab environments or intentionally routing through residential proxy infrastructure during authorized engagements

Splunk

spl

| inputlookup threat_intel_ips.csv
| where like(lower(tags), "%soho%") OR like(lower(tags), "%orb%") OR like(lower(tags), "%volttyphoon%") OR like(lower(tags), "%routerbotnet%") OR like(lower(tags), "%apt28%") OR like(lower(tags), "%apt31%") OR like(lower(tags), "%leviathan%") OR like(lower(tags), "%edgedevice%") OR like(lower(tags), "%compromisedrouter%")
| rename ip AS ti_ip, tags AS ti_tags, description AS ti_description
| join type=inner ti_ip
    [search (index=firewall OR index=network OR index=perimeter)
        (sourcetype="cisco:asa" OR sourcetype="paloalto:firewall" OR sourcetype="fortinet:firewall" OR sourcetype="stream:tcp" OR sourcetype="juniper:junos:firewall")
    | eval src_ip=coalesce(src_ip, src, SourceIP, source_ip)
    | eval dest_ip=coalesce(dest_ip, dest, DestinationIP, destination_ip)
    | eval dest_port=coalesce(dest_port, dpt, DestinationPort)
    | eval action=coalesce(action, DeviceAction, act)
    | where isnotempty(src_ip)
          AND NOT (match(src_ip, "^10\.") OR match(src_ip, "^172\.(1[6-9]|2[0-9]|3[0-1])\.") OR match(src_ip, "^192\.168\.") OR match(src_ip, "^127\.") OR match(src_ip, "^169\.254\."))
    | rename src_ip AS ti_ip]
| eval detection_type="TI_Match_CompromisedNetworkDevice_NetworkFlow"
| table _time, ti_ip, dest_ip, dest_port, action, ti_tags, ti_description, detection_type, sourcetype, host
| sort - _time
| append
    [search index=wineventlog (sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625 OR EventCode=4648)) OR (sourcetype="WinEventLog:System" EventCode=7045)
    | eval src_ip=coalesce(IpAddress, src_ip)
    | where isnotempty(src_ip)
          AND NOT (match(src_ip, "^10\.") OR match(src_ip, "^172\.(1[6-9]|2[0-9]|3[0-1])\.") OR match(src_ip, "^192\.168\.") OR match(src_ip, "^127\.") OR match(src_ip, "^-"))
    | lookup threat_intel_ips.csv ip AS src_ip OUTPUT tags AS ti_tags, description AS ti_description
    | where isnotnull(ti_tags)
          AND (like(lower(ti_tags), "%soho%") OR like(lower(ti_tags), "%orb%") OR like(lower(ti_tags), "%volttyphoon%") OR like(lower(ti_tags), "%routerbotnet%") OR like(lower(ti_tags), "%apt28%") OR like(lower(ti_tags), "%apt31%") OR like(lower(ti_tags), "%leviathan%"))
    | eval detection_type="TI_Match_CompromisedNetworkDevice_Auth"
    | eval account=coalesce(Account, SubjectUserName, TargetUserName)
    | table _time, src_ip, ComputerName, EventCode, account, ti_tags, ti_description, detection_type
    | sort - _time]

high severity low confidence

Data Sources

Network Traffic: Network Traffic Flow User Account: User Account Authentication Firewall: Network Connection Threat Intelligence Feed

Required Sourcetypes

cisco:asa paloalto:firewall fortinet:firewall WinEventLog:Security

False Positives

Legitimate remote employees on residential ISP connections where the home IP was previously associated with a compromised router and has since been reassigned by the ISP to a clean subscriber
Commercial residential proxy services and VPN providers that route through SOHO IP space, particularly if employees or contractors use such services for privacy or regional access
Threat intelligence feed false positives from poorly-sourced or unenriched bulk IP lists that have not been validated against actual SOHO compromise attribution
Security researchers and penetration testers operating from home lab environments using SOHO hardware intentionally configured to simulate adversary infrastructure
Volt Typhoon-style targeting where geographically co-located SOHO devices are deliberately selected to match expected traffic patterns — flagged IPs may appear to be local legitimate sources

Elastic Security (EQL)

eql

// T1584.008 — Compromised Infrastructure: Network Devices
// Requires Elastic Threat Intelligence module enrichment (logs-ti_*) to populate
// threat.enrichments fields on incoming events via ingest pipeline matching.
// Covers authentication, network flow, and HTTP events from compromised SOHO/ORB IPs.
any where
  event.category in ("authentication", "network", "network_traffic") and
  source.ip != null and
  not cidr(source.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16") and
  threat.enrichments.matched.type == "ipv4-addr" and
  (
    threat.enrichments.indicator.description like~ "*SOHO*" or
    threat.enrichments.indicator.description like~ "*ORB*" or
    threat.enrichments.indicator.description like~ "*compromised router*" or
    threat.enrichments.indicator.description like~ "*network device*" or
    threat.enrichments.indicator.description like~ "*operational relay*" or
    threat.enrichments.indicator.description like~ "*relay box*" or
    threat.enrichments.indicator.provider like~ "*VoltTyphoon*" or
    threat.enrichments.indicator.provider like~ "*APT28*" or
    threat.enrichments.indicator.provider like~ "*APT31*" or
    threat.enrichments.indicator.provider like~ "*Leviathan*" or
    threat.enrichments.indicator.provider like~ "*RouterBotnet*" or
    threat.enrichments.indicator.provider like~ "*EdgeDevice*" or
    threat.enrichments.indicator.provider like~ "*CompromisedRouter*"
  )

high severity medium confidence

Data Sources

Elastic Threat Intelligence Module (logs-ti_*) Endpoint security telemetry (auditbeat, filebeat with system module) Network traffic logs (Packetbeat, firewall integrations via Elastic Agent) Authentication logs (Windows Event Logs, Linux PAM/auditd via Beats) Firewall/perimeter logs (Cisco ASA, Palo Alto, Fortinet via Elastic integrations)

Required Tables

logs-* auditbeat-* filebeat-* packetbeat-* logs-ti_abusech.* logs-ti_recordedfuture.* logs-ti_misp.*

False Positives

Legitimate CDN or cloud hosting provider IPs that were previously part of a SOHO botnet but have since been cleaned and reassigned, with stale TI feed entries still marking them as malicious beyond their indicator expiry date
VPN exit nodes or residential proxy services operating commercially whose egress IPs overlap with SOHO/ORB compromise indicators because adversaries previously used or co-tenanted the same provider infrastructure
ISP dynamic address pools where a formerly compromised SOHO IP has been recycled and assigned to a new legitimate residential or business subscriber before the TI feed has aged out the indicator
Security researchers and threat intelligence platform crawlers operating from infrastructure that was once part of, or geographically adjacent to, known compromised SOHO or ORB network ranges

IBM QRadar (AQL)

sql

-- T1584.008 — Compromised Infrastructure: Network Devices
-- Requires 'Compromised_SOHO_ORB_IPs' Reference Set populated via TI feed automation
-- (e.g., QRadar Reference Data API or STIX/TAXII connector importing ORB/SOHO indicators)
-- Queries both events (auth + firewall) and flows (NetFlow/sFlow) tables
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  SOURCEIP(sourceip) AS source_ip,
  DESTINATIONIP(destinationip) AS destination_ip,
  destinationport AS destination_port,
  username,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  qidname(qid) AS event_name,
  magnitude,
  'TI_Match_CompromisedNetworkDevice_Event' AS detection_type
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND INREFERENCESET(SOURCEIP(sourceip), 'Compromised_SOHO_ORB_IPs')
  AND NOT INCIDR('10.0.0.0/8', sourceip)
  AND NOT INCIDR('172.16.0.0/12', sourceip)
  AND NOT INCIDR('192.168.0.0/16', sourceip)
  AND NOT INCIDR('127.0.0.0/8', sourceip)
  AND NOT INCIDR('169.254.0.0/16', sourceip)
UNION ALL
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  SOURCEIP(sourceip) AS source_ip,
  DESTINATIONIP(destinationip) AS destination_ip,
  destinationport AS destination_port,
  NULL AS username,
  'Network Flow' AS event_category,
  APPLICATIONNAME(applicationid) AS log_source_type,
  'Inbound Network Flow from Compromised Device' AS event_name,
  magnitude,
  'TI_Match_CompromisedNetworkDevice_Flow' AS detection_type
FROM flows
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND INREFERENCESET(SOURCEIP(sourceip), 'Compromised_SOHO_ORB_IPs')
  AND NOT INCIDR('10.0.0.0/8', sourceip)
  AND NOT INCIDR('172.16.0.0/12', sourceip)
  AND NOT INCIDR('192.168.0.0/16', sourceip)
  AND NOT INCIDR('127.0.0.0/8', sourceip)
ORDER BY event_time DESC

high severity medium confidence

Data Sources

QRadar Reference Set: Compromised_SOHO_ORB_IPs (populated by TI feed integration via Reference Data API or STIX/TAXII) Firewall log sources (Cisco ASA, Palo Alto Networks, Fortinet FortiGate, Check Point) Authentication log sources (Microsoft Active Directory, RADIUS, VPN gateway logs) Network flow collectors (QRadar QFlow processor, NetFlow v9/IPFIX, sFlow) QRadar event pipeline (DSM-parsed events from all configured log sources)

Required Tables

events flows

False Positives

Legitimate business partner or third-party vendor egress IPs that fall within ranges previously flagged as compromised SOHO infrastructure, particularly where the provider's IP block has been partially or fully reassigned after a botnet takedown
Cloud NAT gateway or shared egress IPs from hyperscale providers (AWS, Azure, GCP) appearing in SOHO/ORB TI feeds due to brief adversary use of co-tenanted infrastructure before account termination
Reference set staleness where an IP from a dismantled SOHO botnet campaign has been cleaned, returned to a legitimate ISP customer, and is now generating legitimate traffic but remains in the QRadar reference set
Anycast or geographic load-balancing IPs whose routing paths through certain regions cause them to appear associated with historically compromised SOHO infrastructure in GeoIP-based TI attribution

Sumo Logic CSE

sql

// T1584.008 — Compromised Infrastructure: Network Devices
// Sumo Logic CSE: queries normalized sec_record index and correlates with TI lookup table
// Requires lookup table uploaded to Sumo Logic Catalog at the path specified below
// Lookup table columns: ip (string), ti_tags (string), ti_description (string)
_index=sec_record*
| where !isNull(srcDevice_ip)
| where !(srcDevice_ip matches /^10\./ 
    OR srcDevice_ip matches /^172\.(1[6-9]|2[0-9]|3[01])\./
    OR srcDevice_ip matches /^192\.168\./
    OR srcDevice_ip matches /^127\./
    OR srcDevice_ip matches /^169\.254\./)
| lookup srcDevice_ip as ip 
    from path://"/Threat Intel/Compromised_Network_Device_IPs" nodrop
| where !isNull(ti_tags)
| where ti_tags matches /(?i)(SOHO|ORB|VoltTyphoon|APT28|APT31|Leviathan|RouterBotnet|EdgeDevice|CompromisedRouter)/
    OR ti_description matches /(?i)(SOHO|compromised router|ORB network|operational relay|network device|relay box)/
| if(toLowerCase(metadata_deviceEventId) matches /(auth|login|logon|signin)/,
    "Auth_From_CompromisedNetworkDevice",
    "Network_From_CompromisedNetworkDevice") as detection_type
| fields _messageTime, srcDevice_ip, dstDevice_ip, dstPort, user_username,
         metadata_product, metadata_vendor, metadata_deviceEventId,
         ti_tags, ti_description, detection_type
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic CSE normalized records (_index=sec_record*) Threat Intelligence lookup table (Sumo Logic Catalog: /Threat Intel/Compromised_Network_Device_IPs) Firewall logs normalized by Sumo Logic CSE parsers (Cisco, Palo Alto, Fortinet, etc.) Authentication logs normalized by Sumo Logic CSE (Windows, Linux, IdP logs) Network traffic logs normalized by Sumo Logic CSE (DNS, proxy, flow data)

Required Tables

sec_record* (Sumo Logic CSE normalized record index) /Threat Intel/Compromised_Network_Device_IPs (Sumo Logic Catalog lookup table with columns: ip, ti_tags, ti_description)

False Positives

Dynamic IP address reassignment where a previously compromised residential or SOHO IP has been returned to the ISP address pool and assigned to a new legitimate subscriber, with the TI lookup table not yet updated to remove the expired indicator
Legitimate SaaS platforms or CDN providers whose shared infrastructure appears in SOHO/ORB lookup tables because adversaries used co-tenanted hosting during a campaign before the provider terminated the malicious accounts
Security operations tooling such as vulnerability scanners, threat intelligence enrichment platforms, or SOC analyst workstations operating from IP ranges that overlap with historically compromised SOHO device attribution in TI feeds
International business traffic from partner organizations in regions with high SOHO compromise rates, where ISP-assigned IP blocks overlap broadly with compromised device indicator ranges due to imprecise TI attribution granularity

Google Chronicle / SecOps

yaral

rule t1584_008_compromised_network_device_ti_match {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound connections and authentication events from IPs attributed to compromised SOHO/ORB network device infrastructure via Chronicle threat intelligence graph correlation. Covers VoltTyphoon, APT28, APT31, Leviathan, and generic ORB relay/SOHO botnet indicators."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.008"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"
    false_positives = "Stale TI feed entries for reclaimed IPs, VPN exit nodes, recycled ISP address pools"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "NETWORK_CONNECTION" or
      $e.metadata.event_type = "NETWORK_HTTP" or
      $e.metadata.event_type = "NETWORK_FLOW" or
      $e.metadata.event_type = "USER_LOGIN" or
      $e.metadata.event_type = "USER_LOGIN_FAIL"
    )

    $e.principal.ip = $src_ip

    not net.ip_in_range_cidr($src_ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($src_ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($src_ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($src_ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($src_ip, "169.254.0.0/16")

    $ioc.graph.entity.artifact.ip = $src_ip
    $ioc.graph.metadata.entity_type = "IP_ADDRESS"
    (
      re.regex($ioc.graph.metadata.threat_feed_name,
        `(?i)(SOHO|ORB|VoltTyphoon|APT28|APT31|Leviathan|RouterBotnet|EdgeDevice|CompromisedRouter)`) or
      re.regex($ioc.graph.metadata.description,
        `(?i)(SOHO|compromised router|ORB network|operational relay|network device|relay box)`)
    )

  match:
    $src_ip over 1h

  condition:
    $e and $ioc
}

high severity medium confidence

Data Sources

Chronicle UDM normalized event stream Chronicle Threat Intelligence Graph (IOC entity graph, populated from Google TI feeds and custom imports) Google Cloud Threat Intelligence (VirusTotal Enterprise, Mandiant, Google TAG feeds) Custom IOC imports via Chronicle STIX/TAXII or API ingestion Network perimeter logs ingested via Chronicle forwarder (firewall, proxy, VPN) Identity provider and authentication logs ingested via Chronicle forwarder

Required Tables

udm_events (Chronicle UDM normalized event stream) graph (Chronicle IOC/entity graph with threat intelligence enrichment)

False Positives

Google Threat Intelligence feed entries that apply broad /24 or /16 CIDR attribution for threat actor infrastructure, capturing legitimate co-tenanted or subsequently reassigned IPs within the same subnet as historically compromised SOHO devices
Commercially operated VPN or residential proxy services whose exit node IPs have appeared in SOHO/ORB threat intelligence because adversaries used the same commercial proxy infrastructure during observed campaigns
Internet scanning and research infrastructure operated by security vendors (Shodan, Censys, GreyNoise) operating from IP ranges adjacent to or previously overlapping with known compromised SOHO device address space
Business-to-business partner traffic originating from ISPs in regions with high SOHO compromise rates where broad TI feed attribution sweeps include legitimate subscriber IP allocations

CrowdStrike LogScale (CQL)

cql

// T1584.008 — Compromised Infrastructure: Network Devices
// CrowdStrike LogScale — Falcon Data Replicator events
// Detects NetworkConnectIP4, NetworkReceiveAcceptIP4, and UserLogon events where
// the remote IP matches a TI lookup file for compromised SOHO/ORB relay infrastructure.
// Requires 'compromised_network_device_ips.csv' uploaded as a LogScale lookup file
// with columns: ip (string), ti_tags (string), ti_description (string)
#event_simpleName = /^(NetworkConnectIP4|NetworkReceiveAcceptIP4|NetworkConnectIP6|UserLogon)$/
| RemoteIP != null
| RemoteIP != "0.0.0.0"
| regex(
    "^(?!10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.|169\\.254\\.)",
    field=RemoteIP
  )
| match(
    file="compromised_network_device_ips.csv",
    field=[RemoteIP],
    column=[ip],
    include=[ti_tags, ti_description]
  )
| regex(
    "(?i)(SOHO|ORB|VoltTyphoon|APT28|APT31|Leviathan|RouterBotnet|EdgeDevice|CompromisedRouter)",
    field=ti_tags
  )
| detection_type := case {
    #event_simpleName = "UserLogon" => "Auth_From_CompromisedNetworkDevice" ;
    #event_simpleName in ["NetworkConnectIP4", "NetworkReceiveAcceptIP4", "NetworkConnectIP6"]
      => "Network_From_CompromisedNetworkDevice" ;
    * => "Unknown_CompromisedNetworkDevice_Event"
  }
| groupBy(
    [RemoteIP, ComputerName, detection_type, ti_tags, UserName],
    function=[
      count(as=event_count),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| sort(field=last_seen, order=desc, limit=500)

high severity medium confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) endpoint telemetry Falcon sensor network events (NetworkConnectIP4, NetworkReceiveAcceptIP4, NetworkConnectIP6) Falcon sensor authentication events (UserLogon) TI lookup file: compromised_network_device_ips.csv (LogScale lookup file with columns: ip, ti_tags, ti_description)

Required Tables

NetworkConnectIP4 (Falcon FDR #event_simpleName) NetworkReceiveAcceptIP4 (Falcon FDR #event_simpleName) NetworkConnectIP6 (Falcon FDR #event_simpleName) UserLogon (Falcon FDR #event_simpleName) compromised_network_device_ips.csv (LogScale lookup file)

False Positives

Falcon-protected endpoints that regularly connect to CDN or SaaS provider IPs that overlap with SOHO/ORB indicator ranges due to IP address recycling at cloud scale, particularly where a provider's IP block was previously used as ORB relay infrastructure and has since been legitimately reassigned
Corporate remote employees connecting through commercial VPN services whose exit node IPs are present in SOHO/ORB TI feeds because adversaries also used or co-opted the same VPN provider's infrastructure during tracked campaigns
TI lookup file staleness causing alerts for IPs from dismantled SOHO botnet campaigns that have been cleaned and returned to legitimate ISP subscriber use but remain in the CSV due to infrequent feed refresh cycles
CrowdStrike-managed infrastructure or third-party security vendor agents generating connections from IPs that share subnet space with historically documented compromised SOHO device ranges in threat intelligence attribution databases

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: Domains T1584.002DNS Server T1584.003Virtual Private Server T1584.004Compromise Infrastructure: Server T1584.005Botnet T1584.006Web Services T1584.007Serverless

Network Devices

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections