Intruvent Technologies
Contact us
Threat Intelligence / Threat Hunting Guides / Volt Typhoon
Critical Nation-State APT Deep Dive

Volt Typhoon

Threat Hunting Guide

Chinese State-Sponsored APT Targeting U.S. Critical Infrastructure

🇨🇳
PRC State-Sponsored
Attribution
📅
Mid-2021
Active Since
⏱️
Up to 5 Years
Dwell Time
🔍
4-6 Hours
Hunt Duration

Download the Complete Hunting Guide

Includes all 8 hunt modules, 35+ detection rules, IOCs, and detailed procedures

Download PDF
1

Executive Summary

Critical Infrastructure Threat

  • Volt Typhoon is a PRC state-sponsored threat actor targeting U.S. critical infrastructure
  • Maintained persistent access in victim environments for up to 5 years
  • Pre-positioning for potential destructive/disruptive attacks during conflict
  • CISA, NSA, and FBI have issued multiple joint advisories (AA23-144A, AA24-038A)

Volt Typhoon (also known as VOLTZITE, Bronze Silhouette, Vanguard Panda, and Insidious Taurus) is a People's Republic of China (PRC) state-sponsored advanced persistent threat (APT) group that has been active since at least mid-2021. Unlike traditional cyber espionage operations focused on data theft, Volt Typhoon's primary objective is pre-positioning within U.S. critical infrastructure to enable potential disruption or destruction of services during a major geopolitical conflict.

The group has successfully compromised organizations across communications, energy, water, transportation, and government sectors. CISA has confirmed exfiltration of SCADA diagrams and relay documentation from energy and water utilities, demonstrating their focus on operational technology (OT) environments.

Volt Typhoon's signature tradecraft involves extensive use of living-off-the-land (LOTL) techniques, relying on built-in Windows utilities like netsh, wmic, and ntdsutil to evade detection. This guide provides comprehensive hunt procedures to identify Volt Typhoon indicators in your environment.

2

Hunt Modules

1

Network Edge Device Compromise

45 min Critical Priority
2

Living-off-the-Land Detection

45 min Critical Priority
3

Credential Harvesting

30 min Critical Priority
4

Lateral Movement

30 min High Priority
5

Port Proxy and Tunneling

30 min High Priority
6

Defense Evasion

30 min High Priority
7

Data Staging and Exfiltration

30 min Medium Priority
8

OT/SCADA Pre-Positioning

30 min Critical Priority
3

Detection Rules

netsh Port Proxy Configuration

Detects netsh portproxy commands used for C2 tunneling

T1090 
index=windows sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
| search process_name="netsh.exe"
| where like(CommandLine, "%interface%portproxy%")
| table _time, host, user, CommandLine
| sort -_time

Impacket Wmiexec Pattern

Detects Impacket wmiexec execution pattern - high fidelity indicator

T1047 
index=windows sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
| search parent_process_name="wmiprvse.exe" process_name="cmd.exe"
| regex CommandLine="\/Q\s+\/c\s+.*\\127\.0\.0\.1\\ADMIN\$\\__\d+"
| table _time, host, user, CommandLine
| sort -_time

NTDS.dit Extraction via ntdsutil

Detects credential dumping via ntdsutil IFM functionality

T1003.003 
index=windows sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
| search process_name="ntdsutil.exe"
| where like(CommandLine, "%activate instance ntds%") OR like(CommandLine, "%ifm%") OR like(CommandLine, "%create full%")
| table _time, host, user, CommandLine
| sort -_time

netsh Port Proxy Configuration

Detects netsh portproxy commands used for C2 tunneling

T1090 
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has_all ("interface", "portproxy")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc

Impacket Wmiexec Pattern

Detects Impacket wmiexec execution pattern - high fidelity indicator

T1047 
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex @"/Q\s+/c\s+.*\\127\.0\.0\.1\ADMIN\$\__\d+\.\d+"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

NTDS.dit Extraction via ntdsutil

Detects credential dumping via ntdsutil IFM functionality

T1003.003 
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName =~ "ntdsutil.exe"
| where ProcessCommandLine has_any (
    "activate instance ntds",
    "create full",
    "ifm"
)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

netsh Port Proxy Configuration

Detects netsh portproxy commands used for C2 tunneling

T1090 
title: Volt Typhoon - netsh Port Proxy Configuration
id: volt-typhoon-portproxy-001
status: experimental
description: Detects netsh portproxy commands used by Volt Typhoon for tunneling
author: Intruvent Technologies
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\netsh.exe'
        CommandLine|contains|all:
            - 'interface'
            - 'portproxy'
    condition: selection
level: high
tags:
    - attack.command_and_control
    - attack.t1090
    - attack.g1017

Impacket Wmiexec Pattern

Detects Impacket wmiexec execution pattern - high fidelity indicator

T1047 
title: Volt Typhoon - Impacket Wmiexec Pattern
id: volt-typhoon-impacket-001
status: experimental
description: Detects Impacket wmiexec execution pattern used by Volt Typhoon
author: Intruvent Technologies
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wmiprvse.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/Q'
            - '/c'
            - '\\127.0.0.1\ADMIN$\__'
    condition: selection
level: critical
tags:
    - attack.execution
    - attack.lateral_movement
    - attack.t1047
    - attack.g1017

NTDS.dit Extraction via ntdsutil

Detects credential dumping via ntdsutil IFM functionality

T1003.003 
title: Volt Typhoon - NTDS.dit Extraction via ntdsutil
id: volt-typhoon-ntds-001
status: experimental
description: Detects NTDS.dit extraction attempts characteristic of Volt Typhoon
author: Intruvent Technologies
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ntdsutil.exe'
        CommandLine|contains:
            - 'activate instance ntds'
            - 'create full'
            - 'ifm'
    condition: selection
level: high
tags:
    - attack.credential_access
    - attack.t1003.003
    - attack.g1017

Need More Detection Rules?

The full guide includes 35+ additional detection signatures, IOC hunting queries, and response procedures.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning based on your specific environment and baseline activity. Detection logic adapted from CISA advisories, Microsoft Threat Intelligence, and Palo Alto Unit 42 research.

4

Key Indicators of Compromise

File Artifacts

Indicator Type Context
AuditReport.jspx Web Shell Known Volt Typhoon web shell
iisstart.aspx Web Shell Masquerading as IIS default page
fy.sh Web Shell Found on compromised Cisco routers
rult3uil.log Keylogger Keylogger output on domain controllers

Masqueraded Process Names

Process Name Context
cisco_up.exe Masquerading as Cisco update
WmiPreSV.exe Typosquat of WmiPrvSE.exe
vm3dservice.exe Masquerading as VMware component
watchdogd.exe Masquerading as watchdog service

Fortinet Compromise Indicators

Admin Account Context
fortinet-tech-support Created via CVE-2022-40684
fortigate-tech-support Created via CVE-2022-40684
Back to Threat Hunting Guides

Automate Threat Hunting with BRACE

BRACE continuously monitors for Volt Typhoon indicators and other nation-state threats using the detection rules in this guide.

Learn About BRACE