Detect Network Devices in CrowdStrike LogScale
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.008 Network Devices
- Canonical reference
- https://attack.mitre.org/techniques/T1584/008/
LogScale Detection Query
// T1584.008 — Compromised Infrastructure: Network Devices
// CrowdStrike LogScale — Falcon Data Replicator events
// Detects NetworkConnectIP4, NetworkReceiveAcceptIP4, and UserLogon events where
// the remote IP matches a TI lookup file for compromised SOHO/ORB relay infrastructure.
// Requires 'compromised_network_device_ips.csv' uploaded as a LogScale lookup file
// with columns: ip (string), ti_tags (string), ti_description (string)
#event_simpleName = /^(NetworkConnectIP4|NetworkReceiveAcceptIP4|NetworkConnectIP6|UserLogon)$/
| RemoteIP != null
| RemoteIP != "0.0.0.0"
| regex(
"^(?!10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.|169\\.254\\.)",
field=RemoteIP
)
| match(
file="compromised_network_device_ips.csv",
field=[RemoteIP],
column=[ip],
include=[ti_tags, ti_description]
)
| regex(
"(?i)(SOHO|ORB|VoltTyphoon|APT28|APT31|Leviathan|RouterBotnet|EdgeDevice|CompromisedRouter)",
field=ti_tags
)
| detection_type := case {
#event_simpleName = "UserLogon" => "Auth_From_CompromisedNetworkDevice" ;
#event_simpleName in ["NetworkConnectIP4", "NetworkReceiveAcceptIP4", "NetworkConnectIP6"]
=> "Network_From_CompromisedNetworkDevice" ;
* => "Unknown_CompromisedNetworkDevice_Event"
}
| groupBy(
[RemoteIP, ComputerName, detection_type, ti_tags, UserName],
function=[
count(as=event_count),
min(@timestamp, as=first_seen),
max(@timestamp, as=last_seen)
]
)
| sort(field=last_seen, order=desc, limit=500)CrowdStrike LogScale query against Falcon Data Replicator endpoint telemetry detecting outbound and inbound network connections plus logon events where the remote IP matches entries in a threat intelligence lookup file for compromised SOHO routers, ORB relay networks, and infrastructure attributed to VoltTyphoon, APT28, APT31, and Leviathan. Results are aggregated by source IP and endpoint hostname to surface endpoints with repeated contact with the same compromised infrastructure. Requires a pre-built TI lookup CSV uploaded to LogScale with columns for ip, ti_tags, and ti_description.
Data Sources
Required Tables
False Positives & Tuning
- Falcon-protected endpoints that regularly connect to CDN or SaaS provider IPs that overlap with SOHO/ORB indicator ranges due to IP address recycling at cloud scale, particularly where a provider's IP block was previously used as ORB relay infrastructure and has since been legitimately reassigned
- Corporate remote employees connecting through commercial VPN services whose exit node IPs are present in SOHO/ORB TI feeds because adversaries also used or co-opted the same VPN provider's infrastructure during tracked campaigns
- TI lookup file staleness causing alerts for IPs from dismantled SOHO botnet campaigns that have been cleaned and returned to legitimate ISP subscriber use but remain in the CSV due to infrequent feed refresh cycles
- CrowdStrike-managed infrastructure or third-party security vendor agents generating connections from IPs that share subnet space with historically documented compromised SOHO device ranges in threat intelligence attribution databases
Other platforms for T1584.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SOHO Proxy Authentication via curl Through External Proxy
Expected signal: Firewall logs record the connection originating from PROXY_IP (the relay device), not the actual test host. Network flow records show only the proxy-to-target leg of the connection. If PROXY_IP were in the threat intelligence feed tagged as SOHO/ORB infrastructure, the KQL ThreatIntelligenceIndicator join and SPL threat_intel_ips lookup would fire. Sysmon Event ID 3 on the test host shows the outbound connection to PROXY_IP:PROXY_PORT.
- Test 2Authentication Attempt from Residential ISP IP Address
Expected signal: Web server access logs record the X-Forwarded-For IP (98.27.145.200) as the source. If authentication maps to Windows Security Event ID 4625 (failed logon) or 4624 (success), the IpAddress field should capture the forwarded residential IP. Azure AD SigninLogs would show the source IP in the IPAddress field. The residential IP hunting query (first hunting query) would flag this IP if it appeared in SigninLogs with a residential ASN classification.
- Test 3Scan for Exposed SOHO Management Ports on Local Network Segment
Expected signal: Sysmon Event ID 3 (Network Connection) captures each connection attempt from the nmap process to each scanned port. Firewall logs on a production system would show the sequential port probe pattern. Network IDS/IPS systems should fire on port scanning signatures. The management port hunting query (second hunting query) would fire if this originated from an external IP targeting perimeter infrastructure.
- Test 4Validate Threat Intelligence Pipeline for SOHO/ORB Indicators
Expected signal: DNS query to 1.1.1.1:53 generates Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection to 1.1.1.1:53). Firewall logs record the outbound UDP/TCP connection to 1.1.1.1:53. If /tmp/ti_test_soho.csv is loaded into the SIEM as a threat intelligence lookup, the connection source IP (1.1.1.1) matches the test TI entry tagged as SOHO/ORB.
References (8)
- https://attack.mitre.org/techniques/T1584/008/
- https://www.cisa.gov/sites/default/files/2024-03/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
- https://www.mandiant.com/resources/blog/orb-networks-china-linked-adversaries
- https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1584.008/T1584.008.md
Unlock Pro Content
Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.