Detect Network Devices in Google Chronicle
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.008 Network Devices
- Canonical reference
- https://attack.mitre.org/techniques/T1584/008/
YARA-L Detection Query
rule t1584_008_compromised_network_device_ti_match {
meta:
author = "Detection Engineering"
description = "Detects inbound connections and authentication events from IPs attributed to compromised SOHO/ORB network device infrastructure via Chronicle threat intelligence graph correlation. Covers VoltTyphoon, APT28, APT31, Leviathan, and generic ORB relay/SOHO botnet indicators."
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1584.008"
severity = "HIGH"
confidence = "MEDIUM"
priority = "HIGH"
false_positives = "Stale TI feed entries for reclaimed IPs, VPN exit nodes, recycled ISP address pools"
version = "1.0"
events:
(
$e.metadata.event_type = "NETWORK_CONNECTION" or
$e.metadata.event_type = "NETWORK_HTTP" or
$e.metadata.event_type = "NETWORK_FLOW" or
$e.metadata.event_type = "USER_LOGIN" or
$e.metadata.event_type = "USER_LOGIN_FAIL"
)
$e.principal.ip = $src_ip
not net.ip_in_range_cidr($src_ip, "10.0.0.0/8")
not net.ip_in_range_cidr($src_ip, "172.16.0.0/12")
not net.ip_in_range_cidr($src_ip, "192.168.0.0/16")
not net.ip_in_range_cidr($src_ip, "127.0.0.0/8")
not net.ip_in_range_cidr($src_ip, "169.254.0.0/16")
$ioc.graph.entity.artifact.ip = $src_ip
$ioc.graph.metadata.entity_type = "IP_ADDRESS"
(
re.regex($ioc.graph.metadata.threat_feed_name,
`(?i)(SOHO|ORB|VoltTyphoon|APT28|APT31|Leviathan|RouterBotnet|EdgeDevice|CompromisedRouter)`) or
re.regex($ioc.graph.metadata.description,
`(?i)(SOHO|compromised router|ORB network|operational relay|network device|relay box)`)
)
match:
$src_ip over 1h
condition:
$e and $ioc
}Chronicle YARA-L 2.0 rule that correlates UDM network connection, HTTP, flow, and authentication events against Chronicle's IOC entity graph to identify traffic sourced from IPs attributed to compromised SOHO routers, ORB relay networks, or state-sponsored threat actor staging infrastructure. The rule matches when a UDM event's principal IP is simultaneously present in the Chronicle threat intelligence graph with a feed name or description matching SOHO, ORB, VoltTyphoon, APT28, APT31, Leviathan, RouterBotnet, EdgeDevice, or CompromisedRouter. The 1-hour match window groups multiple events from the same source IP to reduce alert volume.
Data Sources
Required Tables
False Positives & Tuning
- Google Threat Intelligence feed entries that apply broad /24 or /16 CIDR attribution for threat actor infrastructure, capturing legitimate co-tenanted or subsequently reassigned IPs within the same subnet as historically compromised SOHO devices
- Commercially operated VPN or residential proxy services whose exit node IPs have appeared in SOHO/ORB threat intelligence because adversaries used the same commercial proxy infrastructure during observed campaigns
- Internet scanning and research infrastructure operated by security vendors (Shodan, Censys, GreyNoise) operating from IP ranges adjacent to or previously overlapping with known compromised SOHO device address space
- Business-to-business partner traffic originating from ISPs in regions with high SOHO compromise rates where broad TI feed attribution sweeps include legitimate subscriber IP allocations
Other platforms for T1584.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SOHO Proxy Authentication via curl Through External Proxy
Expected signal: Firewall logs record the connection originating from PROXY_IP (the relay device), not the actual test host. Network flow records show only the proxy-to-target leg of the connection. If PROXY_IP were in the threat intelligence feed tagged as SOHO/ORB infrastructure, the KQL ThreatIntelligenceIndicator join and SPL threat_intel_ips lookup would fire. Sysmon Event ID 3 on the test host shows the outbound connection to PROXY_IP:PROXY_PORT.
- Test 2Authentication Attempt from Residential ISP IP Address
Expected signal: Web server access logs record the X-Forwarded-For IP (98.27.145.200) as the source. If authentication maps to Windows Security Event ID 4625 (failed logon) or 4624 (success), the IpAddress field should capture the forwarded residential IP. Azure AD SigninLogs would show the source IP in the IPAddress field. The residential IP hunting query (first hunting query) would flag this IP if it appeared in SigninLogs with a residential ASN classification.
- Test 3Scan for Exposed SOHO Management Ports on Local Network Segment
Expected signal: Sysmon Event ID 3 (Network Connection) captures each connection attempt from the nmap process to each scanned port. Firewall logs on a production system would show the sequential port probe pattern. Network IDS/IPS systems should fire on port scanning signatures. The management port hunting query (second hunting query) would fire if this originated from an external IP targeting perimeter infrastructure.
- Test 4Validate Threat Intelligence Pipeline for SOHO/ORB Indicators
Expected signal: DNS query to 1.1.1.1:53 generates Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection to 1.1.1.1:53). Firewall logs record the outbound UDP/TCP connection to 1.1.1.1:53. If /tmp/ti_test_soho.csv is loaded into the SIEM as a threat intelligence lookup, the connection source IP (1.1.1.1) matches the test TI entry tagged as SOHO/ORB.
References (8)
- https://attack.mitre.org/techniques/T1584/008/
- https://www.cisa.gov/sites/default/files/2024-03/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
- https://www.mandiant.com/resources/blog/orb-networks-china-linked-adversaries
- https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1584.008/T1584.008.md
Unlock Pro Content
Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.