Volt Typhoon

Volt TyphoonBRONZE SILHOUETTEVanguard PandaDEV-0391UNC3236VoltziteInsidious TaurusDazedToad

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using w...

Techniques

Covered

Gaps

80%

Coverage

Coverage66/82

GAPS (16)

T1070.007Clear Network Connection History and Configurations T1573.001Symmetric Cryptography T1584.003Virtual Private Server T1584.004Server T1584.005Botnet T1584.008Network Devices T1587.004Exploits T1588.006Vulnerabilities T1590.004Network Topology T1590.006Network Security Appliances T1591Gather Victim Org Information T1593Search Open Websites/Domains T1594Search Victim-Owned Websites T1596.005Scan Databases T1614System Location Discovery T1680Local Storage Discovery

COVERED (66)

T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1006Direct Volume Access8 det.T1007System Service Discovery15 det.T1010Application Window Discovery1 det.T1012Query Registry24 det.T1016System Network Configuration Discovery39 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1027.002Software Packing1 det.T1033System Owner/User Discovery61 det.T1036.005Match Legitimate Resource Name or Location44 det.T1036.008Masquerade File Type5 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1049System Network Connections Discovery22 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.004Unix Shell155 det.T1068Exploitation for Privilege Escalation99 det.T1069Permission Groups Discovery31 det.T1069.001Local Groups37 det.T1069.002Domain Groups44 det.T1070.001Clear Windows Event Logs16 det.T1070.004File Deletion42 det.T1074Data Staged12 det.T1074.001Local Data Staging10 det.T1078Valid Accounts280 det.T1078.002Domain Accounts28 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1087.002Domain Account57 det.T1090Proxy46 det.T1090.001Internal Proxy10 det.T1090.003Multi-hop Proxy9 det.T1105Ingress Tool Transfer183 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1120Peripheral Device Discovery4 det.T1124System Time Discovery4 det.T1133External Remote Services72 det.T1140Deobfuscate/Decode Files or Information58 det.T1190Exploit Public-Facing Application216 det.T1217Browser Information Discovery4 det.T1218System Binary Proxy Execution245 det.T1497.001System Checks6 det.T1505.003Web Shell63 det.T1518Software Discovery17 det.T1552Unsecured Credentials95 det.T1552.004Private Keys22 det.T1555Credentials from Password Stores40 det.T1555.003Credentials from Web Browsers16 det.T1560.001Archive via Utility26 det.T1570Lateral Tool Transfer22 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.002Email Addresses2 det.T1590Gather Victim Network Information5 det.T1591.004Identify Roles2 det.T1592Gather Victim Host Information4 det.T1654Log Enumeration1 det.T1685.005Clear Windows Event Logs11 det.