title: Network Devices (T1584.008)
id: df00tech-t1584-008
status: experimental
description: "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for Phishing campaigns, enabling Content Injection operations, or serving as proxy relay nodes in Operational Relay Box (ORB) networks. Real-world usage includes Volt Typhoon proxying traffic through geographically co-located SOHO routers to evade geo-anomaly detection, APT28 compromising Ubiquiti devices to harvest credentials from phishing pages, ZIRCONIUM/APT31 building large-scale ORB networks from compromised SOHO and IoT devices, and Leviathan using SOHO devices as C2 relay infrastructure. These techniques are particularly difficult to detect because the compromise occurs entirely outside the victim environment — detection must focus on the downstream observable: when compromised devices interact with the victim's perimeter."
references:
  - https://attack.mitre.org/techniques/T1584/008/
  - https://df00tech.com/detections/T1584.008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1584.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate remote workers on residential ISP connections where the home IP has been historically flagged as SOHO infrastructure — IP reassignment by ISPs means previously-compromised device IPs are routinely reassigned to clean users
  - "Commercial VPN providers and residential proxy services that route traffic through the same IP ranges as compromised SOHO devices, particularly if the VPN uses residential ISP IP space"
  - Threat intelligence staleness — indicators for SOHO infrastructure are frequently stale within weeks as adversaries rotate through devices; matches on expired or low-confidence indicators produce significant noise
  - "Volt Typhoon specifically selects compromised devices geographically co-located near the victim to defeat geo-anomaly detection, meaning flagged IPs may appear to be legitimate local traffic from expected residential ranges"
  - Security researchers and red teams using SOHO lab environments or intentionally routing through residential proxy infrastructure during authorized engagements
level: high