Volt Typhoon

Volt TyphoonBRONZE SILHOUETTEVanguard PandaDEV-0391UNC3236VoltziteInsidious Taurus

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using we...

Techniques

Covered

Gaps

80%

Coverage

Coverage65/81

GAPS (16)

T1070.007Clear Network Connection History and Configurations T1573.001Symmetric Cryptography T1584.003Virtual Private Server T1584.004Server T1584.005Botnet T1584.008Network Devices T1587.004Exploits T1588.006Vulnerabilities T1590.004Network Topology T1590.006Network Security Appliances T1591Gather Victim Org Information T1593Search Open Websites/Domains T1594Search Victim-Owned Websites T1596.005Scan Databases T1614System Location Discovery T1680Local Storage Discovery

COVERED (65)

T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1006Direct Volume Access8 det.T1007System Service Discovery11 det.T1010Application Window Discovery1 det.T1012Query Registry22 det.T1016System Network Configuration Discovery35 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1027.002Software Packing1 det.T1033System Owner/User Discovery59 det.T1036.005Match Legitimate Resource Name or Location44 det.T1036.008Masquerade File Type4 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1049System Network Connections Discovery21 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.004Unix Shell149 det.T1068Exploitation for Privilege Escalation91 det.T1069Permission Groups Discovery24 det.T1069.001Local Groups35 det.T1069.002Domain Groups42 det.T1070.001Clear Windows Event Logs15 det.T1070.004File Deletion40 det.T1074Data Staged12 det.T1074.001Local Data Staging10 det.T1078Valid Accounts252 det.T1078.002Domain Accounts26 det.T1083File and Directory Discovery48 det.T1087.001Local Account32 det.T1087.002Domain Account55 det.T1090Proxy44 det.T1090.001Internal Proxy10 det.T1090.003Multi-hop Proxy8 det.T1105Ingress Tool Transfer170 det.T1112Modify Registry197 det.T1113Screen Capture17 det.T1120Peripheral Device Discovery4 det.T1124System Time Discovery4 det.T1133External Remote Services72 det.T1140Deobfuscate/Decode Files or Information55 det.T1190Exploit Public-Facing Application208 det.T1217Browser Information Discovery4 det.T1218System Binary Proxy Execution227 det.T1497.001System Checks6 det.T1505.003Web Shell57 det.T1518Software Discovery15 det.T1552Unsecured Credentials76 det.T1552.004Private Keys20 det.T1555Credentials from Password Stores38 det.T1555.003Credentials from Web Browsers15 det.T1560.001Archive via Utility24 det.T1570Lateral Tool Transfer20 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.002Email Addresses2 det.T1590Gather Victim Network Information4 det.T1591.004Identify Roles2 det.T1592Gather Victim Host Information4 det.T1654Log Enumeration1 det.