Detect Network Devices in IBM QRadar
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.008 Network Devices
- Canonical reference
- https://attack.mitre.org/techniques/T1584/008/
QRadar Detection Query
-- T1584.008 — Compromised Infrastructure: Network Devices
-- Requires 'Compromised_SOHO_ORB_IPs' Reference Set populated via TI feed automation
-- (e.g., QRadar Reference Data API or STIX/TAXII connector importing ORB/SOHO indicators)
-- Queries both events (auth + firewall) and flows (NetFlow/sFlow) tables
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
SOURCEIP(sourceip) AS source_ip,
DESTINATIONIP(destinationip) AS destination_ip,
destinationport AS destination_port,
username,
CATEGORYNAME(category) AS event_category,
LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
qidname(qid) AS event_name,
magnitude,
'TI_Match_CompromisedNetworkDevice_Event' AS detection_type
FROM events
WHERE
starttime > (CURRENT_TIMESTAMP - 86400000)
AND INREFERENCESET(SOURCEIP(sourceip), 'Compromised_SOHO_ORB_IPs')
AND NOT INCIDR('10.0.0.0/8', sourceip)
AND NOT INCIDR('172.16.0.0/12', sourceip)
AND NOT INCIDR('192.168.0.0/16', sourceip)
AND NOT INCIDR('127.0.0.0/8', sourceip)
AND NOT INCIDR('169.254.0.0/16', sourceip)
UNION ALL
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
SOURCEIP(sourceip) AS source_ip,
DESTINATIONIP(destinationip) AS destination_ip,
destinationport AS destination_port,
NULL AS username,
'Network Flow' AS event_category,
APPLICATIONNAME(applicationid) AS log_source_type,
'Inbound Network Flow from Compromised Device' AS event_name,
magnitude,
'TI_Match_CompromisedNetworkDevice_Flow' AS detection_type
FROM flows
WHERE
starttime > (CURRENT_TIMESTAMP - 86400000)
AND INREFERENCESET(SOURCEIP(sourceip), 'Compromised_SOHO_ORB_IPs')
AND NOT INCIDR('10.0.0.0/8', sourceip)
AND NOT INCIDR('172.16.0.0/12', sourceip)
AND NOT INCIDR('192.168.0.0/16', sourceip)
AND NOT INCIDR('127.0.0.0/8', sourceip)
ORDER BY event_time DESCDetects inbound events and network flows from IPs matching the 'Compromised_SOHO_ORB_IPs' QRadar reference set, which must be populated via an external TI feed integration covering VoltTyphoon, APT28, APT31, Leviathan, and ORB/SOHO router botnet infrastructure. The UNION ALL combines event-based detections (authentication, firewall log sources) with flow-based detections (NetFlow, sFlow, QFlow) to ensure full perimeter coverage. INCIDR filters exclude RFC1918 and loopback ranges to reduce noise from misconfigured log sources.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate business partner or third-party vendor egress IPs that fall within ranges previously flagged as compromised SOHO infrastructure, particularly where the provider's IP block has been partially or fully reassigned after a botnet takedown
- Cloud NAT gateway or shared egress IPs from hyperscale providers (AWS, Azure, GCP) appearing in SOHO/ORB TI feeds due to brief adversary use of co-tenanted infrastructure before account termination
- Reference set staleness where an IP from a dismantled SOHO botnet campaign has been cleaned, returned to a legitimate ISP customer, and is now generating legitimate traffic but remains in the QRadar reference set
- Anycast or geographic load-balancing IPs whose routing paths through certain regions cause them to appear associated with historically compromised SOHO infrastructure in GeoIP-based TI attribution
Other platforms for T1584.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SOHO Proxy Authentication via curl Through External Proxy
Expected signal: Firewall logs record the connection originating from PROXY_IP (the relay device), not the actual test host. Network flow records show only the proxy-to-target leg of the connection. If PROXY_IP were in the threat intelligence feed tagged as SOHO/ORB infrastructure, the KQL ThreatIntelligenceIndicator join and SPL threat_intel_ips lookup would fire. Sysmon Event ID 3 on the test host shows the outbound connection to PROXY_IP:PROXY_PORT.
- Test 2Authentication Attempt from Residential ISP IP Address
Expected signal: Web server access logs record the X-Forwarded-For IP (98.27.145.200) as the source. If authentication maps to Windows Security Event ID 4625 (failed logon) or 4624 (success), the IpAddress field should capture the forwarded residential IP. Azure AD SigninLogs would show the source IP in the IPAddress field. The residential IP hunting query (first hunting query) would flag this IP if it appeared in SigninLogs with a residential ASN classification.
- Test 3Scan for Exposed SOHO Management Ports on Local Network Segment
Expected signal: Sysmon Event ID 3 (Network Connection) captures each connection attempt from the nmap process to each scanned port. Firewall logs on a production system would show the sequential port probe pattern. Network IDS/IPS systems should fire on port scanning signatures. The management port hunting query (second hunting query) would fire if this originated from an external IP targeting perimeter infrastructure.
- Test 4Validate Threat Intelligence Pipeline for SOHO/ORB Indicators
Expected signal: DNS query to 1.1.1.1:53 generates Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection to 1.1.1.1:53). Firewall logs record the outbound UDP/TCP connection to 1.1.1.1:53. If /tmp/ti_test_soho.csv is loaded into the SIEM as a threat intelligence lookup, the connection source IP (1.1.1.1) matches the test TI entry tagged as SOHO/ORB.
References (8)
- https://attack.mitre.org/techniques/T1584/008/
- https://www.cisa.gov/sites/default/files/2024-03/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
- https://www.mandiant.com/resources/blog/orb-networks-china-linked-adversaries
- https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1584.008/T1584.008.md
Unlock Pro Content
Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.