Threat Intelligence: Nearly Undetectable Hacker - D1defend D1defend

Threat Intelligence: Nearly Undetectable Hacker - D1defend D1defend



Threat Intelligence: Nearly Undetectable Hacker

Posted: May 26, 2023

What’s the issue?

The United States and international cybersecurity authorities discovered a cluster of activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. This activity targets networks across critical infrastructure sectors, and there is a potential for similar techniques to be used worldwide.

What’s the risk?

This attacker employs “living off the land” tactics, using built-in network administration tools to carry out their objectives. This allows them to evade detection by blending in with normal Windows systems and network activities. They avoid endpoint detection and response (EDR) products and are nearly undetectable in default logging configurations. Some of the built-in tools used by the actor include wmic, ntdsutil, netsh, and PowerShell.

What’s the solution?

The joint advisory provides hunting guidance and best practices to detect this activity. It includes examples of the actor’s commands and detection signatures to aid network defenders. However, it’s important to note that some of the behavioral indicators also can be legitimate system administration commands, requiring further investigation.

Please check CISA’s website for the joint advisory at

Important Action

To enhance cybersecurity posture against this threat actor, we recommend implementing the following mitigations:

  • Harden domain controllers and monitor event logs for suspicious process creations.
  • Limit port proxy usage and investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs.
  • Review perimeter firewall configurations for unauthorized changes.
  • Monitor for abnormal account activity and impossible logons.
  • Forward log files to a centralized logging server and monitor for log clearing.
  • Enable logging on edge devices and network management devices.
  • Configure Windows security logs to include “audit process creation” and “include command line in process creation events.”

If you have any questions or need assistance with implementing these mitigations, please reach out to our team at D1 Defend.

Contact Us Today!

Schedule a Call