T1584.008 Microsoft Sentinel · KQL

Detect Network Devices in Microsoft Sentinel

Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.008 Network Devices
Canonical reference
https://attack.mitre.org/techniques/T1584/008/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1584.008 — Compromise Infrastructure: Network Devices
// Detects inbound connections and authentication events from IPs associated with
// known compromised SOHO/network device infrastructure via threat intelligence correlation
let ThreatIntelIPs = ThreatIntelligenceIndicator
| where TimeGenerated > ago(14d)
| where Active == true
| where isnotempty(NetworkIP)
| where Tags has_any ("ORB", "SOHO", "VoltTyphoon", "APT28", "APT31", "Leviathan", "RouterBotnet", "EdgeDevice", "CompromisedRouter")
    or Description has_any ("SOHO", "compromised router", "network device", "ORB network", "operational relay", "relay box")
| project NetworkIP, TIDescription=Description, TITags=Tags, IndicatorType, ExpirationDateTime;
// Authentication events from TI-matched IPs
let AuthFromTI = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType in (0, 50074, 50076, 50079)
| join kind=inner ThreatIntelIPs on $left.IPAddress == $right.NetworkIP
| project TimeGenerated,
         EventType = "Authentication_From_CompromisedNetworkDevice",
         UserPrincipalName,
         SourceIP = IPAddress,
         AppDisplayName,
         LocationCity = tostring(LocationDetails.city),
         LocationCountry = tostring(LocationDetails.countryOrRegion),
         TIDescription,
         TITags,
         AuthResult = ResultType,
         AuthResultDescription = ResultDescription;
// Inbound network connections from TI-matched IPs
let NetFromTI = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("InboundConnectionAccepted", "ConnectionSuccess")
| where RemoteIPType == "Public"
| join kind=inner ThreatIntelIPs on $left.RemoteIP == $right.NetworkIP
| project TimeGenerated = Timestamp,
         EventType = "NetworkConnection_From_CompromisedNetworkDevice",
         DeviceName,
         SourceIP = RemoteIP,
         DestinationPort = LocalPort,
         ActionType,
         ProcessName = InitiatingProcessFileName,
         TIDescription,
         TITags;
// Firewall/CommonSecurityLog events from TI-matched IPs
let FWFromTI = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where isnotempty(SourceIP)
| join kind=inner ThreatIntelIPs on $left.SourceIP == $right.NetworkIP
| project TimeGenerated,
         EventType = "FirewallEvent_From_CompromisedNetworkDevice",
         DeviceName = DeviceName,
         SourceIP,
         DestinationPort,
         DestinationIP,
         DeviceAction,
         ApplicationProtocol,
         TIDescription,
         TITags;
union AuthFromTI, NetFromTI, FWFromTI
| sort by TimeGenerated desc
high severity low confidence

Detects inbound network connections, authentication events, and firewall activity from IP addresses associated with known compromised SOHO router or ORB network infrastructure, using Microsoft Sentinel Threat Intelligence correlation. Joins SigninLogs, DeviceNetworkEvents, and CommonSecurityLog against ThreatIntelligenceIndicator entries tagged with SOHO, ORB, VoltTyphoon, APT28, APT31, Leviathan, RouterBotnet, or EdgeDevice. Confidence is inherently limited by threat intelligence coverage — this detection surfaces only known-bad infrastructure and will miss novel ORB networks not yet attributed.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Connection CreationUser Account: User Account AuthenticationMicrosoft Sentinel Threat IntelligenceFirewall: Network Connection

Required Tables

ThreatIntelligenceIndicatorSigninLogsDeviceNetworkEventsCommonSecurityLog

False Positives & Tuning

  • Legitimate remote workers on residential ISP connections where the home IP has been historically flagged as SOHO infrastructure — IP reassignment by ISPs means previously-compromised device IPs are routinely reassigned to clean users
  • Commercial VPN providers and residential proxy services that route traffic through the same IP ranges as compromised SOHO devices, particularly if the VPN uses residential ISP IP space
  • Threat intelligence staleness — indicators for SOHO infrastructure are frequently stale within weeks as adversaries rotate through devices; matches on expired or low-confidence indicators produce significant noise
  • Volt Typhoon specifically selects compromised devices geographically co-located near the victim to defeat geo-anomaly detection, meaning flagged IPs may appear to be legitimate local traffic from expected residential ranges
  • Security researchers and red teams using SOHO lab environments or intentionally routing through residential proxy infrastructure during authorized engagements
Download portable Sigma rule (.yml)

Other platforms for T1584.008

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SOHO Proxy Authentication via curl Through External Proxy

    Expected signal: Firewall logs record the connection originating from PROXY_IP (the relay device), not the actual test host. Network flow records show only the proxy-to-target leg of the connection. If PROXY_IP were in the threat intelligence feed tagged as SOHO/ORB infrastructure, the KQL ThreatIntelligenceIndicator join and SPL threat_intel_ips lookup would fire. Sysmon Event ID 3 on the test host shows the outbound connection to PROXY_IP:PROXY_PORT.

  2. Test 2Authentication Attempt from Residential ISP IP Address

    Expected signal: Web server access logs record the X-Forwarded-For IP (98.27.145.200) as the source. If authentication maps to Windows Security Event ID 4625 (failed logon) or 4624 (success), the IpAddress field should capture the forwarded residential IP. Azure AD SigninLogs would show the source IP in the IPAddress field. The residential IP hunting query (first hunting query) would flag this IP if it appeared in SigninLogs with a residential ASN classification.

  3. Test 3Scan for Exposed SOHO Management Ports on Local Network Segment

    Expected signal: Sysmon Event ID 3 (Network Connection) captures each connection attempt from the nmap process to each scanned port. Firewall logs on a production system would show the sequential port probe pattern. Network IDS/IPS systems should fire on port scanning signatures. The management port hunting query (second hunting query) would fire if this originated from an external IP targeting perimeter infrastructure.

  4. Test 4Validate Threat Intelligence Pipeline for SOHO/ORB Indicators

    Expected signal: DNS query to 1.1.1.1:53 generates Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection to 1.1.1.1:53). Firewall logs record the outbound UDP/TCP connection to 1.1.1.1:53. If /tmp/ti_test_soho.csv is loaded into the SIEM as a threat intelligence lookup, the connection source IP (1.1.1.1) matches the test TI entry tagged as SOHO/ORB.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: DomainsT1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007Serverless

Related Techniques

T1584Compromise InfrastructureT1090ProxyT1090.003Multi-hop ProxyT1665Hide InfrastructureT1566PhishingT1608.005Link TargetT1659Content InjectionT1078Valid AccountsT1583.008MalvertisingT1584.005BotnetT1190Exploit Public-Facing Application

Same Tactic: Resource Development

Popular Detections