T1584.008 Splunk · SPL

Detect Network Devices in Splunk

Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.008 Network Devices
Canonical reference
https://attack.mitre.org/techniques/T1584/008/

SPL Detection Query

Splunk (SPL)
spl 
| inputlookup threat_intel_ips.csv
| where like(lower(tags), "%soho%") OR like(lower(tags), "%orb%") OR like(lower(tags), "%volttyphoon%") OR like(lower(tags), "%routerbotnet%") OR like(lower(tags), "%apt28%") OR like(lower(tags), "%apt31%") OR like(lower(tags), "%leviathan%") OR like(lower(tags), "%edgedevice%") OR like(lower(tags), "%compromisedrouter%")
| rename ip AS ti_ip, tags AS ti_tags, description AS ti_description
| join type=inner ti_ip
    [search (index=firewall OR index=network OR index=perimeter)
        (sourcetype="cisco:asa" OR sourcetype="paloalto:firewall" OR sourcetype="fortinet:firewall" OR sourcetype="stream:tcp" OR sourcetype="juniper:junos:firewall")
    | eval src_ip=coalesce(src_ip, src, SourceIP, source_ip)
    | eval dest_ip=coalesce(dest_ip, dest, DestinationIP, destination_ip)
    | eval dest_port=coalesce(dest_port, dpt, DestinationPort)
    | eval action=coalesce(action, DeviceAction, act)
    | where isnotempty(src_ip)
          AND NOT (match(src_ip, "^10\.") OR match(src_ip, "^172\.(1[6-9]|2[0-9]|3[0-1])\.") OR match(src_ip, "^192\.168\.") OR match(src_ip, "^127\.") OR match(src_ip, "^169\.254\."))
    | rename src_ip AS ti_ip]
| eval detection_type="TI_Match_CompromisedNetworkDevice_NetworkFlow"
| table _time, ti_ip, dest_ip, dest_port, action, ti_tags, ti_description, detection_type, sourcetype, host
| sort - _time
| append
    [search index=wineventlog (sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625 OR EventCode=4648)) OR (sourcetype="WinEventLog:System" EventCode=7045)
    | eval src_ip=coalesce(IpAddress, src_ip)
    | where isnotempty(src_ip)
          AND NOT (match(src_ip, "^10\.") OR match(src_ip, "^172\.(1[6-9]|2[0-9]|3[0-1])\.") OR match(src_ip, "^192\.168\.") OR match(src_ip, "^127\.") OR match(src_ip, "^-"))
    | lookup threat_intel_ips.csv ip AS src_ip OUTPUT tags AS ti_tags, description AS ti_description
    | where isnotnull(ti_tags)
          AND (like(lower(ti_tags), "%soho%") OR like(lower(ti_tags), "%orb%") OR like(lower(ti_tags), "%volttyphoon%") OR like(lower(ti_tags), "%routerbotnet%") OR like(lower(ti_tags), "%apt28%") OR like(lower(ti_tags), "%apt31%") OR like(lower(ti_tags), "%leviathan%"))
    | eval detection_type="TI_Match_CompromisedNetworkDevice_Auth"
    | eval account=coalesce(Account, SubjectUserName, TargetUserName)
    | table _time, src_ip, ComputerName, EventCode, account, ti_tags, ti_description, detection_type
    | sort - _time]
high severity low confidence

Detects firewall connections and Windows authentication events (Security Event IDs 4624, 4625, 4648) from IP addresses associated with compromised SOHO or ORB network infrastructure using a threat intelligence lookup table. The first search block correlates perimeter firewall logs (Cisco ASA, Palo Alto, Fortinet, Juniper) against TI-tagged IPs; the appended block checks Windows authentication events. Requires a populated threat_intel_ips.csv KV lookup sourced from MISP, commercial TI feeds, or CISA advisories. Tags of interest: SOHO, ORB, VoltTyphoon, RouterBotnet, APT28, APT31, Leviathan, EdgeDevice, CompromisedRouter.

Data Sources

Network Traffic: Network Traffic FlowUser Account: User Account AuthenticationFirewall: Network ConnectionThreat Intelligence Feed

Required Sourcetypes

cisco:asapaloalto:firewallfortinet:firewallWinEventLog:Security

False Positives & Tuning

  • Legitimate remote employees on residential ISP connections where the home IP was previously associated with a compromised router and has since been reassigned by the ISP to a clean subscriber
  • Commercial residential proxy services and VPN providers that route through SOHO IP space, particularly if employees or contractors use such services for privacy or regional access
  • Threat intelligence feed false positives from poorly-sourced or unenriched bulk IP lists that have not been validated against actual SOHO compromise attribution
  • Security researchers and penetration testers operating from home lab environments using SOHO hardware intentionally configured to simulate adversary infrastructure
  • Volt Typhoon-style targeting where geographically co-located SOHO devices are deliberately selected to match expected traffic patterns — flagged IPs may appear to be local legitimate sources
Download portable Sigma rule (.yml)

Other platforms for T1584.008

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SOHO Proxy Authentication via curl Through External Proxy

    Expected signal: Firewall logs record the connection originating from PROXY_IP (the relay device), not the actual test host. Network flow records show only the proxy-to-target leg of the connection. If PROXY_IP were in the threat intelligence feed tagged as SOHO/ORB infrastructure, the KQL ThreatIntelligenceIndicator join and SPL threat_intel_ips lookup would fire. Sysmon Event ID 3 on the test host shows the outbound connection to PROXY_IP:PROXY_PORT.

  2. Test 2Authentication Attempt from Residential ISP IP Address

    Expected signal: Web server access logs record the X-Forwarded-For IP (98.27.145.200) as the source. If authentication maps to Windows Security Event ID 4625 (failed logon) or 4624 (success), the IpAddress field should capture the forwarded residential IP. Azure AD SigninLogs would show the source IP in the IPAddress field. The residential IP hunting query (first hunting query) would flag this IP if it appeared in SigninLogs with a residential ASN classification.

  3. Test 3Scan for Exposed SOHO Management Ports on Local Network Segment

    Expected signal: Sysmon Event ID 3 (Network Connection) captures each connection attempt from the nmap process to each scanned port. Firewall logs on a production system would show the sequential port probe pattern. Network IDS/IPS systems should fire on port scanning signatures. The management port hunting query (second hunting query) would fire if this originated from an external IP targeting perimeter infrastructure.

  4. Test 4Validate Threat Intelligence Pipeline for SOHO/ORB Indicators

    Expected signal: DNS query to 1.1.1.1:53 generates Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection to 1.1.1.1:53). Firewall logs record the outbound UDP/TCP connection to 1.1.1.1:53. If /tmp/ti_test_soho.csv is loaded into the SIEM as a threat intelligence lookup, the connection source IP (1.1.1.1) matches the test TI entry tagged as SOHO/ORB.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: DomainsT1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007Serverless

Related Techniques

T1584Compromise InfrastructureT1090ProxyT1090.003Multi-hop ProxyT1665Hide InfrastructureT1566PhishingT1608.005Link TargetT1659Content InjectionT1078Valid AccountsT1583.008MalvertisingT1584.005BotnetT1190Exploit Public-Facing Application

Same Tactic: Resource Development

Popular Detections