Threat Overview - Salt Typhoon Threat Group
Salt Typhoon is an APT threat actor that has most recently and publicly breached the systems of major United States based telecommunication providers (specifically ISPs) in September/October of 2023 - the networks affected by the breach included Verizon Communications, AT&T and Lumen Technologies. Considered to be an extremely damaging cyber espionage campaign, the threat actors claimed to have been entrenched in their systems for 'months'. The intrusion gave attackers access to proprietary intelligence and law enforcement data, exploiting systems used for what is understood as lawful wiretapping. The threat actor Salt Typhoon (also known as GhostEmperor, Famous Sparrow or UNC2286), has been active since 2020 and is operated by the Chinese Government to conduct cyber espionage campaigns against targets in North America, Southeast Asia, and Europe. It is also worthy to note that the industries that the threat actor has been observed to attack include telecommunications, government and information technology.
Get your FREE Community Account today on the HUNTER471 Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms.
GET YOUR FREE HUNTER471 COMMUNITY ACCOUNT!
Hunt Packages
Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
Single-Character Named Files Used for Execution
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations.
Single Character Batch Script File Executed on Endpoint
The provided logic looks for single character batch script (.bat) file names found in the command line arguments of a process execution. This is often malicious activity as single character script files are uncommon in an environment when executed for legitimate purposes.
Execution BAT Script to Unpack Payload
This Hunt Package is meant to identify a nuanced method of execution of a .bat file that can be indicative of an unpacking sequence that leads to the deployment of an additional executable.
CertUtil file download
Identify suspicious downloads with the built-in windows tool CertUtil. CertUtil is typically not utilized to download executables or files in general from the web, as such its usage to download files from the Internet should be considered suspicious.
DLL and EXE File Written in Same Directory in Short Period - Potential DLL Write for DLL Side Loading
This Hunt Package aims to identify potential DLL side-loading activity by searching for when an executable and a small number of DLL files are written to the same directory within a short period of time. This type of activity could be indicative of an attacker attempting to load a malicious DLL by abusing a legitimate application that would normally load a safe DLL file from the same folder its installed to. Attackers abuse this functionality to load a malicious DLL by the same name as the legitimate DLL the program is normally expecting. Additionally, this technique helps obfuscate the attacker's initial DLL execution by masking a potentially malicious name and instead masquerading as a legitimate DLL name when observed in execution logs.
Potential Impacket wmiexec Module Command Execution
Impacket's wmiexec module enables an attacker to remotely upload files to the target system. By default the module utilizes the same structure of command arguments to perform file upload. The logic provided in this package identifies Impacket's known wmiexec command structure, accounting for small alterations in the case an attacker changes the module's command structure.
Suspicious Executable or Scripts Launched in Common Configuration or System Related Folders
This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a "legitimate" file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.
Potentially Abnormal Parent Process for cmd[.]exe or regedit[.]exe
This use case is meant to identify suspicious parent processes for cmd[.]exe and regedit[.]exe.
DLL Dropped in ProgramData Directory - Possible Cobalt Strike Activity
This hunt packages is designed to capture the activity surrounding a Dynamic Link Library (DLL) being created or dropped in the ProgramData directory on a Windows machine. This activity has been observed during the use of Cobalt Strike.
