Analytics Story: China-Nexus Threat Activity
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. This includes TTPs for groups such as APT31, APT40, and more. Also covers UNC groups such as UNC3886.
Why it matters
As described by Crowdstrike, Chinese state-nexus threat group or adversary are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Windows Event Log Security 4663 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| VMWare ESXi Syslog | Other | vmw-syslog |
vmware:esxlog |
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
| AWS CloudWatchLogs VPCflow | aws:cloudwatchlogs:vpcflow |
aws_cloudwatchlogs_vpcflow |
|
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| Windows Event Log Security 4698 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Linux Auditd Proctitle | auditd |
auditd |
|
| Sysmon for Linux EventID 11 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Linux Auditd Cwd | auditd |
auditd |
|
| Linux Auditd Path | auditd |
auditd |
|
| Sysmon EventID 17 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 18 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4703 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Linux Auditd Syscall | auditd |
auditd |
|
| Palo Alto Network Traffic | pan:traffic |
not_applicable |
|
| Cisco Secure Access Firewall | Other | cisco:cloud_security:firewall |
cisco_secure_access:firewall |
| Linux Auditd Execve | auditd |
auditd |
|
| Windows Event Log System 7045 | XmlWinEventLog |
XmlWinEventLog:System |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
References
- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
- https://www.crowdstrike.com/adversaries/envoy-panda/
- https://cloud.google.com/blog/topics/threat-intelligence/apt40-examining-a-china-nexus-espionage-actor
- https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html
- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare%20_permalink
- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-testimony-_meyers.pdf
- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf
Source: GitHub | Version: 4