GitHub Repo

Analytics Story: China-Nexus Threat Activity

Updated Date: 2026-05-13 ID: ac8b8e7c-ed27-428b-871f-ceb9400c733a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. This includes TTPs for groups such as APT31, APT40, and more. Also covers UNC groups such as UNC3886.

Why it matters

As described by Crowdstrike, Chinese state-nexus threat group or adversary are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Service Creation on Remote Endpoint Windows Service TTP
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Windows Svchost.exe Parent Process Anomaly Break Process Trees Anomaly
Detect Rare Executables User Execution Anomaly
Linux Gdrive Binary Activity Exfiltration Over Web Service TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Anonymous Pipe Activity Inter-Process Communication Hunting
ESXi VM Discovery Virtual Machine Discovery TTP
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Linux Iptables Firewall Modification Disable or Modify System Firewall Anomaly
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
Linux Auditd File Permission Modification Via Chmod Linux and Mac Permissions Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Linux Medusa Rootkit Rootkit, Credentials TTP
Linux Auditd Nopasswd Entry In Sudoers File Sudo and Sudo Caching Anomaly
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching Anomaly
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Hunting
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
ESXi Malicious VIB Forced Install vSphere Installation Bundles TTP
Suspicious Regsvr32 Register Suspicious Path Regsvr32 TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
ESXi VIB Acceptance Level Tampering Disable or Modify Tools TTP
Internal Horizontal Port Scan Network Service Discovery TTP
Linux Auditd Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Linux Sudoers Tmp File Creation Sudo and Sudo Caching Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
Windows Query Registry Browser List Application Query Registry Anomaly
Detect Renamed PSExec Service Execution Hunting
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Linux File Creation In Init Boot Directory RC Scripts Anomaly
Windows SnappyBee Create Test Registry Modify Registry TTP
ESXi Sensitive Files Accessed /etc/passwd and /etc/shadow, Data from Local System TTP
PowerShell 4104 Hunting PowerShell Hunting
Linux Auditd Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Windows Unsigned MS DLL Side-Loading Boot or Logon Autostart Execution, DLL Anomaly
Linux Auditd Possible Access To Sudoers File Sudo and Sudo Caching Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Detect Renamed WinRAR Archive via Utility Hunting
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Unsigned DLL Side-Loading DLL Anomaly
Windows Service Created with Suspicious Service Path Service Execution TTP
Windows Unusual SysWOW64 Process Run System32 Executable Break Process Trees Anomaly
Linux Possible Access To Sudoers File Sudo and Sudo Caching Anomaly
Linux Auditd Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Windows Suspicious VMWare Tools Child Process Command and Scripting Interpreter TTP
Windows Replication Through Removable Media Replication Through Removable Media TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
ESXi Firewall Disabled Disable or Modify System Firewall TTP
Linux Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Linux Common Process For Elevation Control Setuid and Setgid Hunting
Windows Archive Collected Data via Rar Archive via Utility Anomaly
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Detect Large ICMP Traffic Non-Application Layer Protocol TTP
Windows Gdrive Binary Activity Exfiltration Over Web Service TTP
Internal Vertical Port Scan Network Service Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
VMWare ESXi Syslog Other vmw-syslog vmware:esxlog
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Secure Firewall Threat Defense Connection Event Other cisco:sfw:estreamer not_applicable
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
Linux Auditd Proctitle Linux icon Linux auditd auditd
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Linux Auditd Execve Linux icon Linux auditd auditd
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Linux Auditd Syscall Linux icon Linux auditd auditd
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Linux Auditd Path Linux icon Linux auditd auditd
Linux Auditd Cwd Linux icon Linux auditd auditd
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Palo Alto Network Traffic Network icon Network pan:traffic not_applicable
Cisco Secure Access Firewall Other cisco:cloud_security:firewall cisco_secure_access:firewall

References

Source: GitHub | Version: 4