Try in Splunk Security Cloud
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the “Volt Typhoon” group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2023-05-25
- Author: Teoderick Contreras, Splunk
- ID: f73010e4-49eb-44ef-9f3f-2c25a1ae5415
Narrative
Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering.\ Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \ They issue commands via the command line to :\ (1) collect data, including credentials from local and network systems, \ (2) put the data into an archive file to stage it for exfiltration, and then \ (3) use the stolen valid credentials to maintain persistence. \ In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
Detections
| Name |
Technique |
Type |
| Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
| Creation of Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
| Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
| Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
| Elevated Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Extraction of Registry Hives |
Security Account Manager, OS Credential Dumping |
TTP |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Malicious PowerShell Process - Execution Policy Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
| Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
| Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
| Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
| Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
| Processes launching netsh |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
| Windows DNS Gather Network Info |
DNS |
Anomaly |
| Windows Ldifde Directory Object Behavior |
Ingress Tool Transfer, Domain Groups |
TTP |
| Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
| Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Invalid Users Fail To Authenticate Using Kerberos |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Invalid Users Failed To Authenticate Using NTLM |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Users Failed To Authenticate From Host Using NTLM |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Users Failed To Authenticate Using Kerberos |
Password Spraying, Brute Force |
TTP |
| Windows Multiple Users Remotely Failed To Authenticate From Host |
Password Spraying, Brute Force |
TTP |
| Windows OS Credential Dumping with Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
| Windows Proxy Via Netsh |
Internal Proxy, Proxy |
Anomaly |
| Windows Proxy Via Registry |
Internal Proxy, Proxy |
Anomaly |
| Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Users Failed To Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Users Failed To Authenticate Using NTLM |
Password Spraying, Brute Force |
Anomaly |
| Windows Unusual Count Of Users Remotely Failed To Auth From Host |
Password Spraying, Brute Force |
Anomaly |
| Windows WMI Process Call Create |
Windows Management Instrumentation |
Hunting |
Reference
source | version: 1