← Back to Cybersecurity News Center
Severity
HIGH
CVSS
8.1
Priority
0.508
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
China-linked threat actors are compromising SOHO routers and IoT devices at scale to build covert proxy networks used to conduct espionage against critical infrastructure. By routing operations through thousands of geographically distributed consumer and small-business devices, attackers defeat IP-based blocking and attribution. Any organization relying on network perimeter controls alone faces elevated risk of undetected intrusion and data theft.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you have a home internet router and have never updated it or changed its password.
🔓
What got out
Suspected: your internet traffic may have been routed through your router by attackers
Suspected: attackers may have changed your router's settings without your knowledge
✅
Do this now
1 Log in to your home router and change the admin password from the default one on the label. 2 Check your router manufacturer's website for a software update and install it. 3 Turn off remote management in your router settings if you see that option.
👀
Watch for these
Websites that look slightly different than usual, especially your bank.
Slow internet that gets worse over time for no clear reason.
Warnings from your browser that a website's security certificate is not trusted.
🌱
Should you worry?
Most home users will not be directly targeted for spying. The bigger risk is that your router is quietly used as a relay point for attacks on other organizations. Updating your router and changing the password removes that risk for you.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
China-nexus (unattributed to specific named group in available sources — consistent with Volt Typhoon and related ORB network operators per prior public reporting)
TTP Sophistication
HIGH
7 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
SOHO routers and IoT devices (general, no specific vendor/model confirmed from available sources)
Are You Exposed?
⚠
Your industry is targeted by China-nexus (unattributed to specific named group in available sources — consistent with Volt Typhoon and related ORB network operators per prior public reporting) → Heightened risk
⚠
You use products/services from SOHO routers and IoT devices (general → Assess exposure
⚠
7 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
An undetected presence in your network perimeter infrastructure gives adversaries a persistent, low-visibility foothold from which to conduct long-term espionage, exfiltrate sensitive data, or pre-position for disruptive operations against critical systems. Because traffic originates from legitimate-looking devices on your own network or trusted partner networks, standard security monitoring may not trigger alerts. Organizations in sectors CISA identifies as critical infrastructure — energy, finance, healthcare, telecommunications, defense — face the highest exposure and potential regulatory notification obligations if a breach is confirmed.
You Are Affected If
You operate SOHO routers or IoT devices anywhere on your network, including branch offices, OT environments, or remote access infrastructure
Any device management interface (web GUI, SSH, Telnet, TR-069) is accessible from the internet or from untrusted network segments
Devices are running default factory credentials that have never been changed
Firmware on network-edge devices has not been updated within the past 12 months
Your perimeter defense relies primarily on static IP blocklists without behavioral anomaly detection
Board Talking Points
Chinese state-linked actors are using compromised home and small-business routers as hidden relay points to conduct espionage against organizations like ours, making the attacks hard to detect with standard controls.
We recommend an immediate audit of all edge and IoT devices to disable default credentials and exposed management interfaces, completable within two weeks under existing IT authority.
Without action, attackers may already be operating undetected inside our network perimeter, with no external indicator to trigger an alert.
Technical Analysis
China-nexus actors, consistent with Volt Typhoon and associated ORB network operators, are systematically compromising SOHO routers and IoT devices to construct operational relay box (ORB) proxy infrastructure.
Initial access relies on three weaknesses: default credentials (CWE-1188, CWE-255), exposed management interfaces with missing authentication (CWE-306), and hidden backdoor functionality in device firmware (CWE-912).
No single CVE drives this campaign; exploitation targets configuration failures rather than novel vulnerabilities.
A Microsoft advisory (April 2026) documents active post-compromise chains including DNS hijacking and adversary-in-the-middle (AiTM) attacks against downstream targets. MITRE ATT&CK techniques in play: T1584.008 (compromise infrastructure: botnet), T1090.003 (proxy: multi-hop), T1078.001 (valid accounts: default), T1133 (external remote services), T1071.001 (application layer protocol: web), T1557 (adversary-in-the-middle), T1565 (data manipulation). No CISA KEV entry is associated with this campaign at this time. Source quality is rated 0.776; the FBI advisory and Microsoft blog are the primary authoritative references.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to senior IR leadership and legal/compliance if forensic analysis confirms any compromised SOHO device has been relaying traffic into OT/ICS network segments, if DNS hijacking has redirected authentication traffic for privileged accounts, or if dwell time analysis suggests exfiltration from systems containing PII, PHI, or CUI subject to HIPAA, PCI-DSS, or CMMC notification obligations.
1
Step 1: Containment — Audit all SOHO routers and IoT devices for internet-facing management interfaces (HTTP, Telnet, SSH, TR-069). Disable remote management where not operationally required. Block inbound access to management ports at the perimeter firewall. (Cite: NIST AC-17 Remote Access / NIST AC-4 Information Flow Enforcement / CIS 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure / CIS 4.4 Implement and Manage a Firewall on Servers / D3-PBWSAM Proxy-based Web Server Access Mediation)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected assets to prevent threat actor from maintaining proxy relay nodes within the network perimeter while investigation proceeds.
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST CM-7 (Least Functionality)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 12.3 — Deny Communications with Known Malicious IP Addresses (IG2/IG3)
Compensating Control
Run a LAN-side Nmap sweep to enumerate exposed management ports: 'nmap -p 80,443,23,22,7547 --open 192.168.1.0/24 -oN soho_mgmt_audit.txt'. For TR-069 (port 7547) specifically, grep firewall logs or run 'tcpdump -i eth0 port 7547' to confirm whether the ISP ACS server — or an unauthorized host — is the initiator. If firewall ACL changes are not possible immediately, use iptables on a Linux gateway: 'iptables -I FORWARD -p tcp --dport 7547 -j DROP' as an emergency block.
Preserve Evidence
Before disabling interfaces, capture the current running configuration of each router (via 'show running-config' or equivalent CLI export) and any active NAT/port-forward rules, which China-linked actors commonly modify to establish persistent inbound relay tunnels. Record all active management interface states and any unexpected virtual server or DMZ entries in the router's web UI. Export DHCP lease tables to identify unknown devices the router may have enrolled as proxy relay nodes.
2
Step 2: Detection — Query firewall and DNS logs for outbound connections to rotating or unusual IP ranges, high-frequency DNS resolver changes, and traffic volumes inconsistent with device function. Monitor authentication logs for T1557/AiTM indicators: unexpected TLS certificate changes mid-session, authentication tokens appearing from multiple source IPs within a short window, and impossible travel patterns. (Cite: NIST AU-2 Event Logging / NIST AU-6 Audit Record Review, Analysis, And Reporting / NIST AU-3 Content Of Audit Records / CIS 8.2 Collect Audit Logs / D3-ACA Active Certificate Analysis / D3-LAM Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate network telemetry across firewall, DNS, and authentication log sources to identify proxy relay traffic and AiTM session hijacking consistent with China-linked botnet TTPs.
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-3 (Content of Audit Records)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
MITRE ATT&CK T1090.002 (External Proxy)
MITRE ATT&CK T1557 (Adversary-in-the-Middle)
MITRE ATT&CK T1071.001 (Application Layer Protocol: Web Protocols)
Compensating Control
For DNS hijacking detection without a SIEM: run 'Get-DnsClientServerAddress' via PowerShell on all Windows endpoints and diff the output against your documented DNS baseline — any endpoint pointing to a non-corporate or non-ISP resolver is a priority investigate. For proxy relay traffic patterns, capture a 15-minute pcap with Wireshark filtered on 'tcp.flags.syn==1 && !tcp.flags.ack==1' and look for high-frequency SYN storms to rotating external IPs, which indicate the device is actively relaying attack traffic. Use the free Sigma rule 'net_connection_lolbin_susp_outbound' adapted for your router syslog to flag high-volume outbound flows from SOHO device IPs. For TLS certificate anomalies, run 'openssl s_client -connect <target>:443' from an endpoint and compare the issuer chain against a known-good baseline captured before the suspected compromise window.
Preserve Evidence
Preserve firewall flow logs (NetFlow or syslog) covering at least 30 days prior to detection, focusing on sessions originating from SOHO device management IPs to external destinations — this traffic represents the proxy relay chain used by the botnet operator. Export DNS query logs from your internal resolver and flag any NXDOMAIN storms or rapid TTL changes on authoritative lookups, both indicators of fast-flux DNS infrastructure used by China-linked C2 networks. Capture raw pcaps on the WAN interface segment during the detection window to preserve packet-level evidence of T1090.002 relay behavior before containment actions alter traffic flows.
3
Step 3: Eradication — Change all default credentials on SOHO routers and IoT devices immediately. Apply the latest vendor-published firmware. Disable unused services including UPnP, WPS, and all remote management interfaces. Factory-reset any device suspected of compromise before reconfiguration. (Cite: NIST AC-2 Account Management / CIS 4.7 Manage Default Accounts on Enterprise Assets and Software / CIS 5.2 Use Unique Passwords / CIS 7.3 Perform Automated Operating System Patch Management / D3-CRO Credential Rotation / D3-CH Credential Hardening)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: remove the threat actor's foothold by eliminating the credential weaknesses and service exposures that enabled SOHO devices to be recruited into the proxy botnet, and verify firmware integrity before returning devices to service.
NIST SI-2 (Flaw Remediation)
NIST IA-5 (Authenticator Management)
NIST CM-6 (Configuration Settings)
NIST CM-7 (Least Functionality)
CIS 4.7 (Manage Default Accounts on Enterprise Assets and Software)
CIS 5.2 (Use Unique Passwords)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Before factory reset, extract the full running config and flash memory contents using the device's backup export function (or TFTP dump if supported) to preserve forensic evidence of injected startup scripts or modified cron jobs, which China-linked actors have used to maintain persistence across soft reboots on Linux-based SOHO firmware. Use 'binwalk -e <firmware.bin>' on a Linux analysis workstation to unpack vendor firmware and compare file hashes against the extracted device filesystem — mismatches in '/etc/init.d/' scripts or '/usr/sbin/' binaries indicate implant persistence. For credential rotation at scale across many devices, a bash script looping 'sshpass -p <oldpass> ssh admin@<ip> passwd' is acceptable for emergency remediation if a PAM solution is unavailable.
Preserve Evidence
Before factory reset, capture the device's full syslog output and any crash/core dump files stored in '/var/log/' or flash memory — China-linked implants on SOHO firmware (consistent with VPNFilter and related malware families) leave artifacts in '/var/tmp/', '/dev/shm/', or modified '/etc/rc.local' entries. Document all active port-forwarding rules and any injected static routes present at eradication time, as these represent the operational proxy infrastructure the threat actor built. Photograph or screenshot the device admin panel showing all active services and connected clients before wiping.
4
Step 4: Recovery — Validate DNS resolver settings on all network devices and endpoints against known-good baselines. Compare running firmware hashes against vendor-published values where available. Monitor outbound traffic baselines for 72 hours post-remediation to confirm no persistent relay or implant activity remains. (Cite: NIST AU-6 Audit Record Review, Analysis, And Reporting / NIST AU-11 Audit Record Retention / CIS 4.6 Securely Manage Enterprise Assets and Software / D3-SFA System File Analysis / D3-SICA System Init Config Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: restore devices to a known-good configuration state, verify firmware integrity against vendor-published hashes, and establish a 72-hour monitoring window to confirm threat actor proxy relay activity has ceased before declaring recovery complete.
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CP-10 (System Recovery and Reconstitution)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST IR-4 (Incident Handling)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
Compensating Control
For firmware hash validation without enterprise tooling: download the vendor's published firmware binary, compute 'sha256sum <vendor_firmware.bin>', then extract the hash from the running device via its diagnostic page or SSH ('cat /proc/mtd' and 'md5sum /dev/mtdblock0' on Linux-based devices) and compare — any mismatch after a factory reset and clean flash indicates a supply-chain or deep-persistence implant requiring hardware replacement. For the 72-hour traffic baseline, run 'ntopng' (free community edition) or 'vnstat' on the gateway to capture per-IP bandwidth patterns and flag the previously compromised device IPs if they resume high-volume outbound flows indicative of re-enrollment in the botnet. Automate DNS resolver validation with a PowerShell scheduled task: 'Get-DnsClientServerAddress | Where-Object {$_.ServerAddresses -notmatch "<your_authorized_resolver_IPs>"} | Export-CSV dns_anomalies.csv'.
Preserve Evidence
Retain the pre- and post-remediation traffic baselines (NetFlow or pcap summaries) as comparative evidence to demonstrate that proxy relay traffic ceased following eradication — this is essential for any regulatory notification timeline documentation. Preserve the extracted firmware hash comparison results as forensic artifacts demonstrating the scope of device compromise. Log all DNS resolver settings captured during the validation sweep as a timestamped record for post-incident review.
5
Step 5: Post-Incident — Review network segmentation to isolate SOHO and IoT devices from critical systems. Establish a formal firmware lifecycle policy requiring vendor-supported devices and scheduled update reviews. Enumerate all managed devices against the asset inventory and address any unauthorized assets. Require MFA on all remotely accessible management interfaces going forward. (Cite: NIST AC-4 Information Flow Enforcement / NIST AC-6 Least Privilege / CIS 1.1 Establish and Maintain Detailed Enterprise Asset Inventory / CIS 1.2 Address Unauthorized Assets / CIS 2.2 Ensure Authorized Software is Currently Supported / CIS 6.4 Require MFA for Remote Network Access / CIS 6.5 Require MFA for Administrative Access / CIS 7.1 Establish and Maintain a Vulnerability Management Process / D3-ODM Operational Dependency Mapping)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: conduct lessons-learned review focused on the defensive gap that allowed China-linked actors to use geographically distributed SOHO proxy nodes to defeat IP-based perimeter controls, and update detection and segmentation strategy accordingly.
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-2 (Flaw Remediation)
NIST RA-3 (Risk Assessment)
NIST CM-2 (Baseline Configuration)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 3.2 (Establish and Maintain a Data Inventory)
MITRE ATT&CK T1090.002 (External Proxy) — update detection rules to flag behavioral indicators rather than static IP blocklists
Compensating Control
For network segmentation without enterprise NAC: create a dedicated VLAN for all SOHO and IoT devices using consumer-grade managed switches (e.g., TP-Link TL-SG108E supports VLAN isolation at no licensing cost) and configure inter-VLAN routing rules on the firewall to block IoT-segment-to-corporate-segment traffic except explicitly required flows. For the firmware lifecycle policy, build a simple osquery scheduled query ('SELECT name, version FROM deb_packages WHERE name LIKE "%router%"' on Linux management hosts, or maintain a CSV asset register) and set a calendar-based quarterly review reminder tied to vendor security bulletin subscriptions (CISA Known Exploited Vulnerabilities catalog covers major SOHO vendors). Write a Sigma detection rule targeting behavioral proxy relay indicators — high outbound connection count per minute from a single internal IP, especially on ports 443, 80, 1080, and 8080 — to replace reliance on static blocklists that China-linked actors deliberately defeat through botnet IP rotation.
Preserve Evidence
Document the full timeline of proxy relay activity reconstructed from firewall flow logs, including the earliest observed anomalous outbound connection from each compromised device — this establishes dwell time, which is a required data point for any regulatory breach notification assessment. Retain the lessons-learned meeting notes and the control gap mapping to NIST CSF PR.AC, PR.PT, and DE.CM as evidence of due diligence for compliance purposes. Archive the Nmap audit output, firmware hash comparison results, and DNS resolver validation logs as the evidentiary record of remediation completeness.
Recovery Guidance
After factory reset and firmware reflash, do not return any SOHO or IoT device to service without completing the firmware hash validation against vendor-published values, as China-linked implants consistent with this campaign's TTPs have demonstrated persistence across soft resets by modifying flash partitions. Maintain the 72-hour post-remediation monitoring window using NetFlow or pcap-based traffic baselining on the previously compromised device IPs, specifically watching for re-enrollment indicators: outbound connections to rotating IP ranges on ports 443/80/1080, high connection-per-minute rates, and resumed DNS resolver override attempts. Declare recovery complete only after the 72-hour clean window is confirmed and firmware integrity is validated — partial recovery declarations are a critical risk given this threat actor's documented capability to re-compromise devices with unchanged or weak credentials.
Key Forensic Artifacts
Router syslog exports (pre-containment): capture all authentication events, configuration change events, and remote management session logs — China-linked actors accessing SOHO management interfaces leave authentication timestamps and source IPs that reconstruct the initial access timeline consistent with T1078 (Valid Accounts using default credentials).
Firewall NetFlow or session logs (30-day lookback): outbound sessions originating from SOHO device management IPs to external destinations reveal the proxy relay chain; high-volume, short-duration sessions to rotating IPs on ports 443/80/1080/8080 are the operational signature of botnet proxy relay activity used in this campaign.
DNS query logs from internal resolver (pre- and post-compromise): rapid TTL changes, NXDOMAIN storms, and resolver override events on endpoints record the DNS hijacking activity flagged in the Microsoft April 2026 advisory and distinguish it from legitimate DNS behavior.
Router flash memory filesystem dump (pre-factory-reset): files in '/var/tmp/', '/dev/shm/', modified '/etc/rc.local', '/etc/init.d/' scripts, and any added cron entries are the primary persistence artifact locations used by Linux-based SOHO implants in campaigns attributed to China-linked actors including those using VPNFilter-derivative malware.
TLS session metadata and certificate chain logs from WAN-facing traffic (pcap): unexpected issuer CN/OU fields, self-signed certificates on expected enterprise domains, and session token reuse from geographically inconsistent source IPs captured in pcap are the packet-level evidence of T1557/AiTM operations conducted through the proxy botnet relay infrastructure.
Detection Guidance
Ground detection across four behavioral indicators, each mapped to KB-verified controls and log sources.
1.
DNS Resolver Tampering (T1565 / T1557 ): Pull DNS resolver configuration from all routers and endpoints.
Compare against documented baselines.
Any resolver IP not matching the approved list is a high-confidence indicator of T1565 data manipulation or AiTM staging. Log source: DHCP server logs, router syslog, endpoint DNS client configuration. Controls: NIST AU-2 Event Logging (ensure DNS configuration change events are logged), NIST AU-6 Audit Record Review, Analysis, And Reporting (schedule regular review of DNS log anomalies), NIST AU-3 Content Of Audit Records (confirm logs capture source IP, timestamp, and resolver value). D3FEND: D3-SFA System File Analysis (monitor configuration files storing DNS resolver settings for unauthorized modification).
2. ORB Proxy Relay Activity (T1090.003 / T1584.008 ): Identify SOHO and IoT devices generating outbound traffic volumes or destination patterns inconsistent with their operational function. Flag sustained outbound sessions to non-local IPs over ports 80, 443, 1080, or 8080 from devices that should not initiate such traffic. Log source: firewall flow logs, NetFlow/IPFIX records. Controls: NIST AU-6 Audit Record Review, Analysis, And Reporting, NIST AU-12 Audit Record Generation (ensure perimeter devices generate flow records), CIS 8.2 Collect Audit Logs (confirm logging is enabled across all network-boundary devices). D3FEND: D3-PBWSAM Proxy-based Web Server Access Mediation (enforce proxy inspection for outbound web traffic to detect relay behavior).
3. AiTM / Session Hijacking Indicators (T1557 / T1078.001 ): Monitor authentication logs for tokens or session cookies presenting from multiple geographically inconsistent source IPs within a short window. Alert on TLS certificate changes mid-session for established connections. Flag successful logins on management interfaces that have no corresponding provisioning record. Log source: identity provider authentication logs, TLS inspection logs, router management interface access logs. Controls: NIST AU-2 Event Logging, NIST AU-6 Audit Record Review, Analysis, And Reporting, NIST AC-7 Unsuccessful Logon Attempts (enforce and log lockout thresholds), NIST AC-2 Account Management (compare successful logins against provisioned account inventory). D3FEND: D3-ACA Active Certificate Analysis (collect and compare server certificates to detect mid-session substitution), D3-LAM Local Account Monitoring (detect unauthorized or unprovisioned account activity on device management interfaces), D3-MFA Multi-factor Authentication (flag any management-interface access that bypassed required MFA).
4. Default Credential Exploitation (T1078.001 / CWE-1188 / CWE-255): Review authentication logs on management interfaces for successful logins using credentials that match known device default values or that were never explicitly provisioned in the account inventory. Log source: router and IoT device management access logs, RADIUS/TACACS logs where applicable. Controls: NIST AC-2 Account Management, CIS 5.1 Establish and Maintain an Inventory of Accounts (cross-reference successful logins against the account inventory), CIS 4.7 Manage Default Accounts on Enterprise Assets and Software. D3FEND: D3-CH Credential Hardening (enforce credential changes away from defaults as a detection prerequisite), D3-CRO Credential Rotation (detect accounts that have not had credentials rotated within policy as a hunting signal).
Hunting Hypothesis: Query CIS 1.1 asset inventory for devices running firmware older than 18 months or flagged as no longer vendor-supported per CIS 2.2. Cross-correlate those device IPs against outbound firewall flow logs for anomalous session patterns. Devices matching both conditions — aged firmware and anomalous outbound traffic — represent the highest-priority investigation targets for ORB node compromise consistent with Volt Typhoon ORB network TTPs (T1584.008 , T1090.003 ). Controls supporting the hunt: NIST AU-6, AU-12, AU-2; CIS 1.1, 2.2, 8.2; D3FEND: D3-PLM Physical Link Mapping (establish ground-truth device connectivity to identify unexpected relay paths).
Note: The KB does not contain NIST SI-family or CM-family controls in the provided reference data. SI-4 (System Monitoring) and CM-6 (Configuration Settings) are directly relevant to this campaign but are not present in the KB reference supplied for this task. Recommendations above are grounded exclusively in controls present in the provided KB. Operators should additionally consult NIST SI-4 and CM-6 from the full SP 800-53 Rev. 5 catalog for comprehensive coverage.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 ip
Type Value Enrichment Context Conf.
⦾ IP
[none confirmed in available sources]
VT
SH
AB
No specific IOC list has been publicly released for this campaign. ORB network egress nodes rotate frequently; static IP-based IOCs are of limited utility for this threat.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (2)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1071.001
T1584.008
T1078.001
T1133
T1090.003
T1565
+1
AC-17
AC-20
IA-2
IA-5
SC-7
MITRE ATT&CK Mapping
T1584.008
Network Devices
resource-development
T1133
External Remote Services
persistence
T1090.003
Multi-hop Proxy
command-and-control
T1565
Data Manipulation
impact
T1557
Adversary-in-the-Middle
credential-access
Guidance Disclaimer
Intelligence Update History
This item has been re-enriched 1 time as new signals surfaced (CVE assignment, CVSS revisions, threat attribution, KEV catalog additions). Every change is logged below with before/after evidence.
Score Change
May 5, 2026
rating critical→high
Show signal diff
Before
Priority: 0.83
CVSS: 8.1 Rating: Critical CISA KEV: No Actors: 1
MITRE: 7
After
Priority: 0.51
CVSS: 8.1 Rating: High CISA KEV: No Actors: 1
MITRE: 7
