Threat Overview - Volt Typhoon Threat Group
On Tuesday (3/19/24), an advisory from President Biden's administration was released to state governors, detailing the threat of foreign entities including the Volt Typhoon group targeting critical drinking water and wastewater infrastructure - with the potential to "disrupt the critical lifeline of clean and safe drinking water". With Volt Typhoon in particular, it was revealed that last month the threat group was discovered infiltrating networks of a number of critical infrastructure organizations such as communications, energy, transportation, and water and wastewater. They have been identified as "pre-positioned" within these environments, enabling the threat of carrying out disruption across the critical infrastructure sectors. It was recommended that these water facilities adopt basic security measures, such as resetting default passwords and updating software, and provided a list of additional actions and resources; which can be found here: [Top Cyber Actions for Securing Water Systems]
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
ShadowCopy Image Accessed
This package is intended to help identify when Shadow Copies are accessed on a user's host. This can be the cause of creating a new backup, setting up Shadow Copies, restoring from old backups or due to malicious access to normally protected files. In July 2021 a privilege configuration issue was identified, enabling access to NTLM hashes and other sensitive data that is typically protected with SYSTEM level access on the normal filesystem. This vulnerability is tracked as CVE-2021-36934 and dubbed SeriousSAM or HiveNightmare. The vulnerability affects access to The C:\Windows\System32\config\ folder, containing the SYSTEM, SAM and SECURITY hive files. Typically these files are protected to only SYSTEM level processes, however they can be accessed utilizing Shadow Copies that fail to protect it the same as in the original source folder.
Netsh Port Forwarding Command
This use case is meant to identify the netsh port forwarding command-line parameters "interface portproxy add".
WMIC Windows Internal Discovery and Enumeration
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
Potentially Injected Process Command Execution
This Hunt Package identifies child processes that require interactive output that are not executed by cmd.exe and powershell.exe.
Dump LSASS via comsvcs DLL
Identify the usage of Microsoft Windows COM+ services DLL (comsvcs.dll), which can be used to dump process memory, dumping the process memory of lsass.exe which can be used to obtain credentials.
Potential Impacket wmiexec Module Command Execution
Impacket's wmiexec module enables an attacker to remotely upload files to the target system. By default the module utilizes the same structure of command arguments to perform file upload. The logic provided in this package identifies Impacket's known wmiexec command structure, accounting for small alterations in the case an attacker changes the module's command structure.
Dump Active Directory Database with NTDSUtil - Potential Credential Dumping
This content is designed to identify when NTDSutil.exe is used to create a full backup of active directory. This technique is utilized by the Conti ransomware and Trickbot malware to steal data from a compromised host.
Excessive Windows Discovery CommandLine Arguments - Potential Malware Installation
This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.
Remote Process Instantiation via WMI
This use case is meant to identify wmic.exe being launched with parameters to spawn a process on a remote system.
Powershell Encoded Command Execution
Looks for valid variations of the -EncodedCommand parameter. This is commonly used to encode or obfuscate commands, and not all occurrences are malicious. For example, benign complex commands may require encoding to properly run on a target system. Analysis of the encoded command by base64 decoding the encoded data will be necessary.
NOTE: When excessive results are received, notes provided in the Deployment Steps may be able to aid in tuning the dataset, per tool. Some general suggestions may be to group by parent processes to identify common, approved and legitimate, applications; group by common line and only review command lines observed less than 3 times, across 3 hosts (indicating single execution across multiple hosts); or limit the results by distinct number of hosts and event counts, such as limiting to less than 5 observed hosts or total execution count.
