This blog contains some immediate guidance on using Snare Agents and Snare Central to detect activity on your network from the recent Volt Typhoon APT using living off the land techniques.
Background on the Living Off the Land Techniques Used by Volt Typhoon
The Volt Typhoon APT is a group of threat actors who have been active since at least 2017. They are known for using a variety of strategies, including living off the land techniques, to compromise systems. Living off the land techniques involve using built-in tools and utilities to perform malicious actions. This can make it difficult to detect these attacks because the activity may look like normal system activity.
Several advisories have been provided by CISA that relate to techniques used by Volt Typhoon.
- CISA provided a great white paper on the topic, which can be found here.
- Microsoft also provide some good analysis, which can be found here.
Import Information
As mentioned in the CISA white paper, there are various methods being used by threat actors primarily based in China, to attack systems and networks, and achieve a persistent presence.
The CISA white paper provides some indicators of compromise (IOCs) that can be used to detect these attacks. These IOCs map back to many MITRE Attack indicators.
The Snare solution provides a wide range of capabilities to help with the Mitre Attack framework, you can read more about it here.
Living off the land techniques attempt to use built-in network and system administration tools to either compromise a system, or undertake intelligence gathering. This potentially helps threat actors evade detection by blending in with the normal windows system and network activities. Such tools can sometimes avoid triggering end point detection and threat responses that might otherwise activate if a third party application or tool was used. Some of the built in tools this threat actor uses include:
- wmic
- ntdsutil
- netsh
- PowerShell
This paper will cover some examples of how using Snare technology can help detect Volt Typhoon APT activity, using references from the CISA white paper. These examples can aid network defenders in hunting for this activity on their networks. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity.
Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.
Detection Using Snare Agents and Snare Central
The CISA and Microsoft papers on Volt Typhoon APT activity, provide some indicators of compromise (IOCs) that can be used to detect these attacks. These IOCs include, but are not limited to:
- Hashes of malicious files
- Snort and YARA rules that can detect malicious network traffic
- IP addresses of known malicious hosts
After the initial compromise, it is important to understand what was done on the corporate network and what the bad guys were up to. Here are some things that can be done to help detect malicious activity:
- Install Snare Agents to collect system event logs. Enable FIM and RIM on key software and operating system locations to generate the required hashes. If the Snare agent was already installed, having FAM and RAM configured for the same operating systems and application locations would help provide details on what accounts were used, programs used to make changes to the host files. Having Snare agents on other systems to collect the system logs would also assist with detecting lateral movement of users and potential account breaches on other host systems.
- Use Snare agents to collect DNS log activity. We have good FAQ guide, here.
- Using Sysmon to help augment the monitoring of the systems, we have another white paper here on this topic and how Snare collects these. We also include 25 sample reports in Snare Central for sysmon to help with threat hunting and incident detection.
- Other logs like proxy logs can also be useful for determining internet access paths, source and destination systems. These can be collected using the Snare Windows or Linux agents.
- Performing Database Activity Monitoring with the Snare MSSQL agent. This allows tracking of the users into Microsoft SQL Server databases to see if user accounts are compromised, data was changed or being exfiltrated.
- Install Snare Central to collect logs from Snare Agents and other syslog devices like firewalls, routers, switches, and software like Snort or other IDS/IPS systems.
You can create reports in Snare Central to search for malicious activity derived from logs generated by Snare Agents, network devices, syslog sources, proxies, and firewall/network devices.
The Snare Event Search can be used to hunt for threats in an ad-hoc fashion. Queries can be saved for later use, or used as templates to make new queries. The event search provides the capability to search across multiple log types for key words, IP addresses, Domain names, process execution, user names, or files names in order to detect malicious software activities.
Searching Logs
Searching for netsetupsvc.dll in dynamic search can be done either using the basic search by entering netsetupsve.dll in the search field or by using the “Advanced Search” feature with the sample query defined below:
DATE=’TODAY’ AND ALLFIELDS REGEXI ‘wmic|ntdsutil|netsh\.exe|PowerShell’
The time period (DATE=’TODAY’) can be adjusted to review smaller or larger time ranges as required (eg: “DATE>=30” or “DATE=Weekend” or “DATE>’This time last week’). Commands can be refined to include or exclude tools based on the likelihood of false positives within the organisation. PowerShell and wmic are examples of commands that may be used significantly on some systems, and may therefore flood reports with excessive data.
Most system and command activity can be detected by Snare agents, then found using Snare Central reports or event search. The Snare Agents default policies will collect a lot of the information out of the box, though we recommend enabling “Include command line in process creation events” in your GPO configuration (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing ), and potentially leveraging Sysmon to supplement the information returned by process creation events.
Specific examples of activities that correlate with collected logs, include:
- cmd.exe /C “wmic path win32_logicaldisk getcaption, filesystem, freespace, size, volumename”
- The baseline agent configuration will collect command execution events like these. Snare Central reports and event search to can be used to hunt for those specific components.
- %SystemRoot%\NTDS\ntds.dit exfil
- Snare Agents can be configured to monitor specific files and directories for access or modifications. Windows systems may access system files of this nature very often during normal daily activities, and so file accesses like these may be stored in order to correlate with other related activity. Alternatively, attempts to access this file using commands that attempt to perform a “volume shadow copy” operation, may be a more targeted and effective approach (vssadmin, wmic, ntdsutil).
- Exfil via c:\windows\temp / c:\users\public
- The Windows\temp folder can be very noisy and not often monitored as it too widely used by normal processes to monitor effectively. File monitoring within this directory can be often useful for forensic analysis, even if the volume of events is too significant for real time monitoring.
- ESENT Logging: Snare Agents collect by default from the application event log. Searching for event ids 216, 325, 326 and 327 can be performed by event search of a report looking for ntds.dit usage.
- an example search for these would be “DATE=’TODAY’ AND TABLE INCLUDES ‘MSWinEventLog2,WinApplication’ AND ALLFIELDS CONTAINS ‘ntds.dit’ AND EVENTID INCLUDES ‘216,325,326,327”
- Secretsdump.py / Invoke-NinjaCopy / DSInternals / FgDump / MetaSploit
- Process execution monitoring, coupled with the GPO setting to include command line parameters, and/or sysmon.
PortProxy
- Detecting the execution of the ‘netsh’ command may be a reasonable option for most deployments. Netsh is rarely used by the windows system, and is generally only used in custom administrative scripts, or interactively via powershell. Although the baseline windows logging subsystem does not generally report open ports, blocked or allowed network activity from the windows firewall, or other network devices, can be helpful
- The Snare AgentRegistry Activity Monitoring (RAM)capability can track the registry subsection: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\Netsh creates content in this area when it opens a TCP port.
PowerShell
- Although usually a high volume event, Snare can be used to track executions of PowerShell, and also the individual (non-integrated) commands invoked from within PowerShell.
WMIExec
- Snare can catch the cmd.exe execution. If the ‘command argument capture’ setting is also enabled, additional command parameters can also be captured.
Enumeration
- Many of the actions undertaken by tools used in enumerating networks or services are captured by Snare agents by default.
Credential theft/Additional commands:
- Snare can capture command execs. File activity monitoring on dynamic directories may be inefficient, but could be useful for forensic retrospective analysis.
- Snare can help with detecting things like Mimikatz or related attack tools.
We have another blog on this here.
Special Event Log Activity
The Snare Agents collect all application, system and custom event logs by default, and only filter out some specific classes of Security events that are noisy and generally provide no forensic value. These logs can include a lot of good forensic intelligence related to system activity. Snare Central has several “out of the box” reports that facilitate reporting on suspicious activities.
Reports\Operating Systems\Administrative Activity\Windows\Audit Log Cleared – Searches for event 1102 on modern systems, 517 and 104 on older OS versions. This is often a tactic used from someone malicious trying to mask their tracks.
Reports\Operating Systems\Administrative Activity\Windows\Accounts Added or Removed – Searches for 4720 and 4726 for accounts being added or removed. Often used after an exploit has been run to gain direct access to the systems as a normal privileged user.
Reports\Operating Systems\Administrative Activity\Windows\Audit Policy Changes – Searches for 4719 for system policy changes which could be part of weakening system policies.
Reports\Operating Systems\Administrative Activity\Windows\Group Changes – Searches for many Windows group events related to making changes to group permissions and settings.
Reports\Operating Systems\Administrative Activity\Windows\Group Member Changes – Searches for many Windows group events related to new members being added or removed to groups.
Reports\Operating Systems\Administrative Activity\Windows\Groups Added or Removed – Searches for many Windows group events related to new groups being added or removed.
Reports\Operating Systems\Administrative Activity\Windows\User Account Changes – Searches for many Windows user based events related to account permissions being changes or added to new groups.
Reports\Operating Systems\Windows Incidents cover some other reporting areas of incident detection for Administrative Activity, File and Resource Access, Process Monitoring, Sysmon Activity, Windows DNS which can help with IOC detection.
Proxy Logs
Proxy logs can be searched using the standard reports where the logs were collected using the Snare agents. the proxy logs maybe a path to the Internet to access malicious content, or used to exfiltrate data. By reviewing the top sites or users it may highlight who and where the activity was coming from for compromised users and systems. The standard reports are located here
Reports\Application Audit\Proxy Servers
User Lateral Movement
Logins to other systems can be detected using standard login reports, which show which systems users are logging into. The report can be cloned as many times as needed, and each clone can have additional filters applied to target specific users or groups of users. This can be used to identify specific user accounts that are logging into multiple systems, which could be an indication of account compromise if the user access was not legitimate. Out-of-hours login reports can also be run to see which accounts are being used outside of standard working hours, when the accounts would not normally be used.
User login activity reports are found here for Windows and other operating systems.
Reports\Operating Systems\Login Activity
User and group changes can also be tracked and reported on. One of the changes that malware often makes is to change or add users to have privileged access. Tracking if users have been added or removed, system policy changes occurring, and audit logs being cleared can be a sign of malicious activity, as the attacker may be trying to hide their tracks. Group and group member changes, as well as specific user changes for additional access, should also be tracked.
Snare Central has reports for tracking administrative user activity located here:
Reports\Operating Systems\Administrative Activity
Monitoring Critical files and Registry Locations
Snare Agents allow monitoring critical file and registry locations using our FIM, FAM, RIM and RAM methods. We have specific white paper here that covers core critical operating system locations, but customers can also monitor other specific application areas as needed.
Process Execution
Reviewing process execution can be complicated, as it can be difficult to understand what are normal applications used on the corporate network and what are not. However, you can get context of what is run and see what is abnormal by reviewing the activities of key systems and expanding to review other systems as needed. The risk may be lower if application whitelisting has been implemented, but not all organizations have been able to whitelist all application usage.
Snare Central has some base reports that allow users to see what commands are being run on systems. If command argument capture has been enabled as discussed above, and/or installed Sysmon (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon), it will provide additional information and parameters used in commands that are run, including PowerShell commands. The reports can be cloned as many times as needed and adjusted with additional filters to search for specific applications, exclude known whitelisted applications, and report on other unknown applications.
Location for process Monitoring can be found here:
Reports\Operating Systems\Process Monitoring
- Use the sample reports to search for some of the common network ports being used port 8080, 8433, 8043, 8000, 10443 with various file names including but not limited to cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe
- A number of other tools that can be used for as part of lateral movement some of which are covered above but may require some additional analysis if the logs are certutil, dnscmd, ldifde, makecab, net user/group/use, netsh, nltest, ntdsutil, PowerShell, req query/save systeminfo, tasklist, wevtutil, wmix, xcopy
Network Activity Monitoring
If Snare Central is configured to collect firewall, router, switch, and other logs from Snort (or other IDS/IPS systems), it can help correlate actions performed by systems and users to show where malicious content is downloaded or where data is exfiltrated to. Reports can be created for a variety of network devices, with filters created to look for specific IP addresses of interest from either internal or external sites. In the case of this malware, using the source address of the SolarWinds server and any other compromised server may help narrow down what actions were taken and how they were performed on the corporate network. Some of the standard Network activity monitoring reports can be found here:
Reports\Network
Use the sample reports to search for some of the common network ports being used port 8080, 8433, 8043, 8000, 10443 with various file names including but not limited to cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe
Database Activity Monitoring
The Snare MS SQL agent provides Database Activity Monitoring. Such a capability can provide additional information on what corporate data was accessed inside the MS SQL Server databases. By tracking the access to the databases, reviewing the contents of the SQL commands and monitoring who was running such commands, the log data can provide additional forensics information when combined with other user activity. There are several standard reports in Snare Central that provide details on Admin and DBA activity, Database Activity and usage for specific commands. Users can report on login activity, use of user rights, review specific SQL events, report on objects accessed by using custom reports and tune them based on the customers specific naming conventions. Some of the standard reports can be found here:
Reports\Application Audit\MSSQL Server
Need Additional Support Using Snare to Detect Volt Typhoon APT?
For additional information please contact our Technical Team or your regional Sales Team.
