Detect Network Devices in Sumo Logic CSE
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.008 Network Devices
- Canonical reference
- https://attack.mitre.org/techniques/T1584/008/
Sumo Detection Query
// T1584.008 — Compromised Infrastructure: Network Devices
// Sumo Logic CSE: queries normalized sec_record index and correlates with TI lookup table
// Requires lookup table uploaded to Sumo Logic Catalog at the path specified below
// Lookup table columns: ip (string), ti_tags (string), ti_description (string)
_index=sec_record*
| where !isNull(srcDevice_ip)
| where !(srcDevice_ip matches /^10\./
OR srcDevice_ip matches /^172\.(1[6-9]|2[0-9]|3[01])\./
OR srcDevice_ip matches /^192\.168\./
OR srcDevice_ip matches /^127\./
OR srcDevice_ip matches /^169\.254\./)
| lookup srcDevice_ip as ip
from path://"/Threat Intel/Compromised_Network_Device_IPs" nodrop
| where !isNull(ti_tags)
| where ti_tags matches /(?i)(SOHO|ORB|VoltTyphoon|APT28|APT31|Leviathan|RouterBotnet|EdgeDevice|CompromisedRouter)/
OR ti_description matches /(?i)(SOHO|compromised router|ORB network|operational relay|network device|relay box)/
| if(toLowerCase(metadata_deviceEventId) matches /(auth|login|logon|signin)/,
"Auth_From_CompromisedNetworkDevice",
"Network_From_CompromisedNetworkDevice") as detection_type
| fields _messageTime, srcDevice_ip, dstDevice_ip, dstPort, user_username,
metadata_product, metadata_vendor, metadata_deviceEventId,
ti_tags, ti_description, detection_type
| sort by _messageTime descDetects authentication and network events in Sumo Logic Cloud SIEM Enterprise normalized records where the source device IP matches entries in a threat intelligence lookup table for compromised SOHO/ORB network device infrastructure. Regex filters on ti_tags and ti_description fields cover VoltTyphoon, APT28, APT31, Leviathan, RouterBotnet, and EdgeDevice attribution labels. Requires a lookup table pre-built from an external TI feed and uploaded to Sumo Logic at the specified Catalog path. RFC1918 and loopback addresses are excluded via regex pre-filter.
Data Sources
Required Tables
False Positives & Tuning
- Dynamic IP address reassignment where a previously compromised residential or SOHO IP has been returned to the ISP address pool and assigned to a new legitimate subscriber, with the TI lookup table not yet updated to remove the expired indicator
- Legitimate SaaS platforms or CDN providers whose shared infrastructure appears in SOHO/ORB lookup tables because adversaries used co-tenanted hosting during a campaign before the provider terminated the malicious accounts
- Security operations tooling such as vulnerability scanners, threat intelligence enrichment platforms, or SOC analyst workstations operating from IP ranges that overlap with historically compromised SOHO device attribution in TI feeds
- International business traffic from partner organizations in regions with high SOHO compromise rates, where ISP-assigned IP blocks overlap broadly with compromised device indicator ranges due to imprecise TI attribution granularity
Other platforms for T1584.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SOHO Proxy Authentication via curl Through External Proxy
Expected signal: Firewall logs record the connection originating from PROXY_IP (the relay device), not the actual test host. Network flow records show only the proxy-to-target leg of the connection. If PROXY_IP were in the threat intelligence feed tagged as SOHO/ORB infrastructure, the KQL ThreatIntelligenceIndicator join and SPL threat_intel_ips lookup would fire. Sysmon Event ID 3 on the test host shows the outbound connection to PROXY_IP:PROXY_PORT.
- Test 2Authentication Attempt from Residential ISP IP Address
Expected signal: Web server access logs record the X-Forwarded-For IP (98.27.145.200) as the source. If authentication maps to Windows Security Event ID 4625 (failed logon) or 4624 (success), the IpAddress field should capture the forwarded residential IP. Azure AD SigninLogs would show the source IP in the IPAddress field. The residential IP hunting query (first hunting query) would flag this IP if it appeared in SigninLogs with a residential ASN classification.
- Test 3Scan for Exposed SOHO Management Ports on Local Network Segment
Expected signal: Sysmon Event ID 3 (Network Connection) captures each connection attempt from the nmap process to each scanned port. Firewall logs on a production system would show the sequential port probe pattern. Network IDS/IPS systems should fire on port scanning signatures. The management port hunting query (second hunting query) would fire if this originated from an external IP targeting perimeter infrastructure.
- Test 4Validate Threat Intelligence Pipeline for SOHO/ORB Indicators
Expected signal: DNS query to 1.1.1.1:53 generates Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection to 1.1.1.1:53). Firewall logs record the outbound UDP/TCP connection to 1.1.1.1:53. If /tmp/ti_test_soho.csv is loaded into the SIEM as a threat intelligence lookup, the connection source IP (1.1.1.1) matches the test TI entry tagged as SOHO/ORB.
References (8)
- https://attack.mitre.org/techniques/T1584/008/
- https://www.cisa.gov/sites/default/files/2024-03/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
- https://www.mandiant.com/resources/blog/orb-networks-china-linked-adversaries
- https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1584.008/T1584.008.md
Unlock Pro Content
Get the full detection package for T1584.008 including response playbook, investigation guide, and atomic red team tests.