AttackIQ released an attack graph that emulates Volt Typhoon’s recent activity to help organizations validate detections and defenses against pre-positioning intrusions targeting critical infrastructure. The emulation covers Living-off-the-Land techniques (CertUtil, Netsh), LSASS dumping via comsvcs.dll and rundll32, credential harvesting with Mimikatz, discovery, staging/exfiltration, and log clearing. #VoltTyphoon #Mimikatz
Keypoints
- CISA, NSA, and FBI warned that PRC state-sponsored actors are pre-positioning access to U.S. critical infrastructure; AttackIQ created an emulation to match those behaviors.
- Volt Typhoon heavily uses Living-off-the-Land binaries to blend with normal activity and evade EDR detection.
- Initial actions include deobfuscation using certutil and firewall modification with netsh to proxy connections.
- Credential access techniques observed: LSASS memory dumps via rundll32/comsvcs.dll and credential harvesting with an obfuscated Mimikatz.
- Comprehensive discovery operations use built-in commands and tools (systeminfo, whoami, net user, tasklist, netstat, nmap, nltest, Get-ADDomainController).
- Data is staged locally, exfiltrated to attacker-controlled servers over HTTP POST, and evidentiary logs are removed with wevtutil.
- AttackIQ recommends validating detection and prevention pipelines against these behaviors and following CISA’s mitigation guidance.
MITRE Techniques
- [T1140] Deobfuscate/Decode Files or Information – Use of the legitimate certutil binary to decode a base64 encoded payload (‘deofuscate the used script through the CertUtil utility.’)
- [T1562.004] Impair Defenses: Disable or Modify System Firewall – Creating a new Windows Firewall rule via netsh to proxy port connections (‘modify the system’s firewall using Netsh to create a new rule to proxy port connections from the targeted system.’)
- [T1003.001] OS Credential Dumping: LSASS Memory – Dumping LSASS memory using rundll32.exe with comsvcs.dll MiniDump export to disk (‘perform a dump of the Windows Local Security Authority Server Service (LSASS) process using the native comsvcs.dll library’)
- [T1021.001] Remote Services: Remote Desktop Protocol – Using stolen credentials to remotely connect via RDP (‘moving laterally to remotely accessible systems via Remote Desktop Protocol (RDP).’)
- [T1003] OS Credential Dumping – Using an obfuscated Mimikatz to extract passwords and hashes from the target system (‘use the credential harvesting tool known as Mimikatz to extract credentials’)
- [T1082] System Information Discovery – Executing systeminfo to gather Windows system details (‘systeminfo command is executed to retrieve all of the Windows system information.’)
- [T1033] System Owner/User Discovery – Running whoami and query user to enumerate accounts and permission groups (‘whoami and query user utilities to gain details about the currently available accounts and permission groups.’)
- [T1087.001] Account Discovery: Local Account – Using net user to list local accounts (‘net user command to get a list of all available local accounts.’)
- [T1069] Permission Groups Discovery – Enumerating groups with net localgroup and net group /domain (‘net localgroup and net group /domain commands.’)
- [T1057] Process Discovery – Running tasklist and saving results to a temporary file (‘tasklist command is executed as a command process and the results are saved to a file in a temporary location.’)
- [T1007] System Service Discovery – Querying running services using net start (‘net start utility to query a list of all running services.’)
- [T1083] File and Directory Discovery – Listing files/directories in %ProgramFiles% and %systemdrive%Users via a batch script (‘lists all files and directories in %ProgramFiles% and the %systemdrive%Users directory.’)
- [T1124] System Time Discovery – Identifying time and time zone using net time (‘identifies the time and time zone of the compromised system through the net time command.’)
- [T1614] System Location Discovery – Calling GetUserDefaultLocaleName/GetUserDefaultLCID to retrieve system location (‘execute the GetUserDefaultLocaleName and GetUserDefaultLCID API calls to retrieve the location of the targeted system.’)
- [T1016] System Network Configuration Discovery – Using route, ipconfig, net use to collect host and share details (‘route, ipconfig, and net use are executed to collect details about the infected host and network shares.’)
- [T1016.001] Internet Connection Discovery – Pinging 8.8.8.8 to verify internet connectivity (‘used ping to Google’s 8.8.8.8 DNS server to verify if they could connect to the internet.’)
- [T1049] System Network Connections Discovery – Using netstat to collect active connections and listening services (‘netstat is used to collect active connections and any listening services running on the host.’)
- [T1018] Remote System Discovery – Scanning the network with Nmap for SMB, RDP, LDAP and using nltest/Get-ADDomainController to locate domain controllers (‘executes the Nmap tool to scan the local network’ and ‘executes the nltest command’ and ‘Get-ADDomainController PowerShell cmdlet to discover the available domain controller.’)
- [T1074.001] Data Staged: Local Data Staging – Collecting files into a temporary directory for later exfiltration (‘Files are collected and stored in a temporary directory so they can be exfiltrated later.’)
- [T1041] Exfiltration Over C2 Channel – Sending files to an attacker-controlled server via HTTP POST (‘Files are sent to an AttackIQ controlled server using HTTP POST requests.’)
- [T1070.001] Indicator Removal: Clear Windows Event Logs – Using wevtutil.exe to clear event logs and remove evidence (‘attempt to delete Windows event logs using the wevtutil.exe utility to remove evidence of their intrusion activity.’)
Indicators of Compromise
- [IP Address] Internet connectivity check – 8.8.8.8 (ping to verify internet access)
- [Binaries/Tools] Legitimate/abused utilities observed – certutil.exe, netsh.exe (used for deobfuscation and firewall modification)
- [Binaries/Tools] Credential and forensic tools – mimikatz (obfuscated), rundll32.exe (invokes comsvcs.dll for LSASS dumping)
- [DLLs] Libraries used for dumping – comsvcs.dll (MiniDump export used to dump LSASS)
- [Windows Utilities] Evidence removal and staging – wevtutil.exe (clearing event logs), vssadmin.exe (recommended for AD DB shadow copies)
- [Registry] Stored session enumeration – HKEY_CURRENT_USERSOFTWARESimonTathamPuTTYSessions (PuTTY stored sessions discovery)
- [Network Services/Ports] Remote access targets – RDP, SMB (identified via Nmap and used for lateral movement)
The emulated procedure begins by decoding and preparing payloads with certutil, then modifying host firewall rules via netsh to proxy or permit attacker connections. Operators dump LSASS memory using rundll32.exe invoking comsvcs.dll MiniDump to capture credentials, and then run an obfuscated Mimikatz binary to extract cleartext passwords and hashes for lateral access (notably to RDP and SMB targets).
Comprehensive environment discovery is performed using native Windows commands and tools—systeminfo, whoami, net user, net localgroup, tasklist, net start, route, ipconfig, netstat—and network scanning tools like Nmap, nltest, and Get-ADDomainController to locate domain controllers and remotely accessible systems. Collected files are staged locally, exfiltrated over HTTP POST to attacker-controlled servers, and post-operation cleanup includes clearing Windows event logs with wevtutil to remove forensic evidence.
Defenders should prioritize detections for LOTL binaries (certutil, rundll32/comsvcs), LSASS access patterns, anomalous netsh firewall changes, unusual netstat/net use activity, and outbound HTTP POSTs carrying staged data; use the AttackIQ assessment template to validate detection pipelines and follow CISA recommendations for mitigations and patching.
Read more: https://www.attackiq.com/2024/02/09/response-to-cisa-advisory-aa24-038a/