Analytics Story: Volt Typhoon

Date: 2023-05-25 ID: f73010e4-49eb-44ef-9f3f-2c25a1ae5415 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the "Volt Typhoon" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.

Why it matters

Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to: 1. collect data, including credentials from local and network systems, 2. put the data into an archive file to stage it for exfiltration, and then 3. use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Remote WMI Command Attempt Windows Management Instrumentation TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows DNS Gather Network Info DNS Anomaly
Windows Ldifde Directory Object Behavior Ingress Tool Transfer, Domain Groups TTP
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Password Spraying, Brute Force TTP
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Host Using NTLM Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Process Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Users Remotely Failed To Authenticate From Host Password Spraying, Brute Force TTP
Windows Proxy Via Netsh Internal Proxy, Proxy Anomaly
Windows Proxy Via Registry Internal Proxy, Proxy Anomaly
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate From Process Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Remotely Failed To Auth From Host Password Spraying, Brute Force Anomaly
Windows WMI Process Call Create Windows Management Instrumentation Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4625 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4648 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4771 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4776 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1