Summary of the Threat
Volt Typhoonis a state-sponsored actor based in China that typically focuses on espionageand information gathering and has been active since mid-2021 targeting criticalinfrastructure organizations.
In order toachieve their goals, the threat actor utilizes stealth with IT Operationstoolsets and almost exclusively utilizing living-off-the-land techniques and hands-on-keyboardactivity. Utilizing the command line tocollect data, including credentials from local and network systems, place thedata into an archive file to stage for exfiltration and then utilize the stolenvalid credentials to maintain persistence.
For moredetails on the Volt Typhoon tactics; please see the Joint Cybersecurity Advisory.
DefaultWindows Security log settings may not provide the level of logging detailrequired to distinguish from the threat actor and normal IT Operations. With this, ensure the audit policy forWindows security logs include “audit process creation” and “include commandline in process creation events”.
WithoutDeep PowerShell Logging and WMI Tracing the logs may not provide enough detailfor threat hunters to assist in distinguishing between threat actor activityand normal IT Operations. It isrecommended to enable both of these configurations by following the recommendedconfigurations.
InstallSnare Agents to collect system event logs and enable FIM and RIM on keysoftware and operating system locations to generate required hashes.
UtilizeSnare Agents to collect DNS log activity.
UtilizeSysmon to help augment the monitoring of the systems.
EnsureProxy logs are being collected with the Snare Windows or Linux Agent.
PerformDatabase Activity Monitoring with the Snare MSSQL Agent.
Ensuringthese logging recommendations are in place will assist in monitoring anddetecting this threat actor and others who will use these techniques.
If youhave any questions about the recommendations, how it would impact your QRadarEPS or other questions regarding your organization’s security posture, pleasefeel free to reach out to your Carbonhelix representative.