GitHub Repo

Analytics Story: Salt Typhoon

Updated Date: 2026-05-13 ID: 7df800b1-af23-4f65-ac36-abe87374ee72 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to Salt Typhoon, a sophisticated threat actor targeting various sectors with espionage-focused campaigns. Monitor for indicators such as spear-phishing emails, unauthorized access attempts, and lateral movement within your network. Investigate anomalous data exfiltration patterns and command-and-control (C2) traffic consistent with known tactics, techniques, and procedures (TTPs) of this group. Combining threat intelligence with advanced monitoring tools helps identify potential Salt Typhoon activity early, enabling swift response to mitigate risks effectively.

Why it matters

Salt Typhoon is a highly capable threat actor known for conducting targeted espionage campaigns against diverse sectors, including government, technology, and critical infrastructure. This group leverages sophisticated tactics such as spear-phishing, credential theft, and exploiting software vulnerabilities to gain initial access. Once inside a network, Salt Typhoon demonstrates expertise in lateral movement, privilege escalation, and covert data exfiltration. Their use of custom malware and command-and-control (C2) infrastructures highlights their adaptability. Detecting their activity requires robust threat intelligence and proactive monitoring of unusual behaviors and network anomalies.

Cisco Privileged Account Creation with HTTP Command Execution

 1| tstats `security_content_summariesonly`
 2  min(_time) as firstTime
 3  max(_time) as lastTime
 4  sum(All_Risk.calculated_risk_score) as risk_score
 5  count(All_Risk.calculated_risk_score) as risk_event_count
 6
 7  values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
 8  dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
 9
10  values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
11  dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
12
13  values(All_Risk.tag) as tag
14  values(source) as source
15  dc(source) as source_count
16
17  values(contributing_events_search)
18
19  values(All_Risk.threat_object)
20
21  from datamodel=Risk.All_Risk where
22
23  source IN (
24    "*Cisco IOS Suspicious Privileged Account Creation*",
25    "*Cisco Secure Firewall - Privileged Command Execution via HTTP*"
26  )
27  by All_Risk.normalized_risk_object
28| `drop_dm_object_name(All_Risk)`
29| `security_content_ctime(firstTime)`
30| `security_content_ctime(lastTime)`
31| where source_count >= 2
32| `cisco_privileged_account_creation_with_http_command_execution_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
Windows Query Registry Browser List Application Query Registry Anomaly
Windows Unusual SysWOW64 Process Run System32 Executable Break Process Trees Anomaly
Cisco IOS XE Guestshell Activation and Destroy Command and Scripting Interpreter, Escape to Host Anomaly
Detect Rare Executables User Execution Anomaly
Linux Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Detect Renamed PSExec Service Execution Hunting
Cisco IOS XE Request Platform Package Describe Shell Pattern Command and Scripting Interpreter, Exploit Public-Facing Application TTP
Windows Archive Collected Data via Rar Archive via Utility Anomaly
Windows Unsigned DLL Side-Loading DLL Anomaly
Cisco Secure Firewall - SSH Connection to sshd_operns SSH Anomaly
Linux Auditd Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Cisco IOS XE Remote Access Probe Burst Remote System Discovery, SSH, Network Service Discovery Anomaly
Cisco IOS XE Tunnel Interface Configuration Proxy, Protocol Tunneling Anomaly
Linux Possible Access To Sudoers File Sudo and Sudo Caching Anomaly
Linux Sudoers Tmp File Creation Sudo and Sudo Caching Anomaly
Linux Auditd Possible Access To Sudoers File Sudo and Sudo Caching Anomaly
Linux Auditd File Permission Modification Via Chmod Linux and Mac Permissions Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Service Creation on Remote Endpoint Windows Service TTP
Windows Anonymous Pipe Activity Inter-Process Communication Hunting
Suspicious Regsvr32 Register Suspicious Path Regsvr32 TTP
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Cisco IOS XE VTY Access Class Tampering Remote Services, Impair Defenses Anomaly
Cisco Secure Firewall - Privileged Command Execution via HTTP Command and Scripting Interpreter, Web Shell Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Hunting
Cisco IOS XE Reconnaissance Command Activity System Network Configuration Discovery, System Information Discovery, Gather Victim Network Information Anomaly
Detect Renamed WinRAR Archive via Utility Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
Linux Auditd Nopasswd Entry In Sudoers File Sudo and Sudo Caching Anomaly
Windows SnappyBee Create Test Registry Modify Registry TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Service Created with Suspicious Service Path Service Execution TTP
Linux Auditd Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal Clear Windows Event Logs, Impair Defenses Anomaly
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Cisco Secure Firewall - SSH Connection to Non-Standard Port SSH Anomaly
Linux Common Process For Elevation Control Setuid and Setgid Hunting
PowerShell 4104 Hunting PowerShell Hunting
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Unsigned MS DLL Side-Loading Boot or Logon Autostart Execution, DLL Anomaly
Cisco IOS XE WebUI Programmatic Configuration Valid Accounts, Exploit Public-Facing Application Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
Cisco IOS XE WebUI Login From IOSd Local Port Valid Accounts, Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco IOS Logs Other cisco:ios cisco:ios
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Secure Firewall Threat Defense Intrusion Event Other cisco:sfw:estreamer not_applicable
Linux Auditd Proctitle Linux icon Linux auditd auditd
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Linux Auditd Cwd Linux icon Linux auditd auditd
Linux Auditd Path Linux icon Linux auditd auditd
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Linux Auditd Execve Linux icon Linux auditd auditd
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

References

Source: GitHub | Version: 2