Case Study 27.2: Volt Typhoon and the Evolution of Living Off the Land

A Ghost in the Machine

In May 2023, Microsoft published a threat intelligence advisory that sent shockwaves through the cybersecurity community. A Chinese state-sponsored threat actor, designated "Volt Typhoon" (also tracked as "Vanguard Panda" by CrowdStrike and "Bronze Silhouette" by Secureworks), had been quietly infiltrating U.S. critical infrastructure since at least mid-2021. The targets included communications, energy, water, transportation, and maritime sectors -- the backbone of American society.

What made Volt Typhoon remarkable was not the sophistication of its exploits or the novelty of its malware. It was the near-complete absence of malware altogether. Volt Typhoon operated almost exclusively through Living Off the Land techniques, using legitimate Windows tools and commands to achieve its objectives. The group's operational discipline was so thorough that some compromised organizations had been penetrated for over two years without any indication of compromise.

This case study examines Volt Typhoon's LOTL methodology, the detection challenges it created, and the implications for both red team operations and defensive security. We also examine how the Volt Typhoon revelation accelerated the adoption of alternative C2 frameworks -- particularly Nighthawk and Brute Ratel -- by both legitimate operators and threat actors seeking to replicate Volt Typhoon's stealth.

The Campaign

Initial Access

Volt Typhoon gained initial access primarily through exploitation of internet-facing network appliances, particularly Fortinet FortiGuard devices. The group exploited known vulnerabilities in these appliances and, in some cases, used compromised SOHO (Small Office/Home Office) routers as operational relay points to proxy their traffic, making it appear to originate from the victim's geographic area.

The use of compromised SOHO routers (particularly ASUS, Cisco, and NETGEAR devices running outdated firmware) as relay infrastructure was itself a LOTL technique applied at the network level. Rather than operating from identifiable C2 servers, Volt Typhoon routed traffic through legitimate residential and small business routers, blending with normal internet traffic.

Credential Harvesting Without Mimikatz

Traditional attackers drop Mimikatz or similar tools to harvest credentials. Volt Typhoon avoided this entirely, using built-in Windows capabilities:

  • NTDS.dit extraction: Used ntdsutil.exe (a legitimate Active Directory maintenance tool) to create a snapshot of the AD database, then extracted password hashes offline
  • Volume Shadow Copy: Used vssadmin.exe to create shadow copies of the system drive, enabling access to locked files like SAM and SYSTEM registry hives
  • comsvcs.dll MiniDump: Used rundll32.exe with the legitimate comsvcs.dll library to dump LSASS process memory
  • Registry extraction: Used reg save HKLM\SAM and reg save HKLM\SYSTEM to export credential databases

Every tool used was a signed, legitimate Microsoft binary. No credential harvesting tool was ever dropped to disk.

Reconnaissance and Discovery

Volt Typhoon's reconnaissance operations relied entirely on built-in commands:

# Domain enumeration
nltest /dclist:
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

# Network discovery
netstat -ano
ipconfig /all
arp -a

# System enumeration
systeminfo
tasklist /v
wmic process list brief
wmic service list brief

# File discovery
dir /s /b \\fileserver\share\*.docx *.xlsx *.pdf

# User session enumeration
quser
query session
net session

These commands are indistinguishable from normal system administration activity. A domain administrator running nltest /dclist: looks exactly the same in logs whether they are a legitimate admin or a threat actor.

Lateral Movement

Volt Typhoon moved laterally using Windows-native capabilities:

  • WMI (Windows Management Instrumentation): wmic /node:target process call create "cmd.exe /c <command>" to execute commands on remote systems
  • PowerShell Remoting: Enter-PSSession -ComputerName target for interactive remote sessions
  • Remote Desktop Protocol (RDP): Standard RDP connections using stolen credentials, which look identical to legitimate administrative access
  • PsExec-like functionality: Using WMI or scheduled tasks instead of the actual PsExec tool

Persistence

Persistence mechanisms were similarly native:

  • Scheduled Tasks: Created via schtasks /create to run commands at system startup or on a schedule
  • WMI Event Subscriptions: Persistent WMI event filters and consumers that execute commands when specific conditions are met
  • Service creation: sc create to install persistence as a Windows service
  • Startup folder: Placing scripts in user and system startup locations

Data Staging and Exfiltration

Data was staged and exfiltrated using:

  • certutil.exe: Base64 encoding of files for exfiltration through text-based channels
  • makecab.exe: Native Windows compression utility to package data for exfiltration
  • bitsadmin.exe: Background Intelligent Transfer Service for controlled data transfer
  • PowerShell: Various cmdlets for file compression and transfer

The Detection Challenge

Why Traditional Security Failed

Volt Typhoon's LOTL approach defeated multiple layers of traditional security:

Antivirus/EDR: No malware was deployed. Every executable that ran was a signed Microsoft binary. AV/EDR products cannot block ntdsutil.exe or certutil.exe without breaking legitimate administrative workflows.

Application Whitelisting: AppLocker and similar solutions were irrelevant -- every binary used was on the whitelist by default because they were legitimate system tools.

Network Detection: Without traditional C2 traffic, network-based detection had limited signals to analyze. Lateral movement used standard Windows protocols (WMI, RDP, SMB) that generate enormous volumes of legitimate traffic.

SIEM Rules: Most SIEM detection rules focus on known malicious indicators -- malware hashes, suspicious executables, known C2 domains. Volt Typhoon triggered none of these.

What Could Have Detected Volt Typhoon

The CISA advisory following the Volt Typhoon disclosure provided detailed detection guidance, highlighting several approaches:

Enhanced Logging: Organizations that had comprehensive command-line logging (Sysmon Event ID 1 with full command-line capture) could retroactively search for suspicious command sequences. The key is not individual commands but the pattern: systeminfo followed by net group "Domain Admins" /domain followed by nltest /dclist: executed from the same session in rapid succession is reconnaissance, not routine administration.

Behavioral Baselines: Organizations that maintained baselines of normal LOLBin usage could detect anomalies. If ntdsutil.exe runs once a year for legitimate maintenance, its unexpected execution is an alert-worthy event. If certutil -urlcache has never been observed in the environment, any instance should trigger investigation.

User Behavior Analytics (UBA): Analyzing which accounts use which tools, from which systems, at which times. A service account running net group "Domain Admins" at 2 AM from a workstation that has never been associated with that account is suspicious regardless of whether malware is involved.

Network Flow Analysis: While individual connections looked normal, the aggregate pattern of lateral movement was detectable through network flow analysis. Unusual SMB or WMI connections between systems that do not normally communicate, especially in sequence, indicate lateral movement.

Honeypots and Deception: Canary files, honey credentials, and deception technology could detect Volt Typhoon's reconnaissance and credential harvesting. If a credential that exists nowhere except in a honeypot suddenly appears in authentication logs, an attacker has harvested and used it.

The Nighthawk and Brute Ratel Connection

The Post-Cobalt Strike Landscape

Volt Typhoon demonstrated that the most effective adversaries do not need traditional C2 frameworks. But not every threat actor (or red team) can operate with Volt Typhoon's discipline. Many still need C2 frameworks -- they just need ones that are not as heavily detected as Cobalt Strike.

This demand drove the rise of alternative C2 frameworks, particularly:

Brute Ratel C4 (BRc4): Created by Chetan Nayak (a former CrowdStrike and Mandiant red team operator), Brute Ratel was specifically designed to evade EDR. Its key innovations included: - Direct syscall execution bypassing user-mode hooks - Custom memory allocation avoiding standard API patterns - ETW (Event Tracing for Windows) and AMSI patching to blind telemetry sources - Sleep masking to encrypt the agent in memory when idle

BRc4 was sold exclusively to verified security professionals at approximately $2,500/year. In September 2022, however, a cracked copy of BRc4 v1.0 appeared on Russian-language cybercrime forums. Within weeks, threat intelligence firms detected it being used in real attacks -- notably by former Conti ransomware affiliates. The proliferation cycle that took Cobalt Strike years occurred in weeks.

Nighthawk: Developed by MDSec, Nighthawk is a commercial C2 framework with advanced evasion. Its restricted availability (sold only to vetted customers) has kept it less profiled than Cobalt Strike. Nighthawk features include advanced sleep obfuscation, indirect syscall execution, and customizable communication profiles. Its detection profile remains lower because fewer samples are available for analysis, but this is security through obscurity rather than fundamental technical superiority.

The Arms Race Accelerates

The combined effect of Volt Typhoon's LOTL success and the rise of alternative C2 frameworks has compressed the detection arms race:

  1. Defenders invest in behavioral detection because signature-based approaches cannot detect LOTL or novel C2 frameworks
  2. Attackers adopt more sophisticated evasion including sleep masking, direct syscalls, and ETW patching
  3. Defenders develop in-memory scanning and telemetry sources that are harder to evade
  4. Attackers find new telemetry blind spots and the cycle continues

Implications for Red Teams

Learning from Volt Typhoon

Legitimate red teams can learn several operational lessons from Volt Typhoon:

LOTL Discipline: Rather than defaulting to C2 frameworks for every operation, red teams should practice conducting entire phases of an engagement using only built-in tools. This provides more realistic testing of the client's detection capabilities.

Operational Security (OPSEC): Volt Typhoon's success came from consistent operational discipline, not any single technique. Every action was considered for its detection potential. Red teams should develop similar OPSEC checklists.

Infrastructure Blending: Using residential proxies and compromised SOHO routers (in lab simulations) to make attack traffic blend with normal internet traffic is a technique red teams should test against clients' network monitoring.

Phased Approaches: Volt Typhoon demonstrated that patience -- operating slowly over months or years -- is more effective than rapid, noisy operations. Red team engagements should include long-duration exercises where possible.

Ethical Considerations

Red teams studying Volt Typhoon must maintain clear boundaries:

  1. Never compromise third-party infrastructure (routers, servers) as relay points, even if threat actors do. Use commercially available redirectors and proxies instead.
  2. Document LOTL techniques transparently in reports. The value is in showing what detections failed, not in maintaining stealth.
  3. Provide actionable detection guidance for every LOTL technique used. The client's security team should be able to detect the technique after reading the report.
  4. Time-box engagements appropriately. While Volt Typhoon operated for years, red team exercises should have defined end dates and regular check-ins with the client's security leadership.

CISA Response and Detection Guidance

Following the Volt Typhoon disclosure, CISA (Cybersecurity and Infrastructure Security Agency) issued extensive guidance:

  1. Centralized logging with at least 12 months of retention for: - Windows Security Event Log (Event IDs 4624, 4625, 4648, 4672, 4688, 4697, 4698, 4702, 4720) - Sysmon (Event IDs 1, 3, 8, 10, 11, 12, 13, 17, 18, 22, 23, 25) - PowerShell Script Block Logging (Event ID 4104) - DNS query logging

  2. Network monitoring focused on: - Unusual SMB, RDP, and WMI traffic between systems - Outbound connections from servers that typically do not initiate external connections - DNS queries to newly registered or uncategorized domains - Large data transfers to unusual destinations

  3. Identity monitoring: - Impossible travel detections (same account logging in from distant locations) - Service account usage anomalies - Privilege escalation patterns - Credential use on systems where the account owner does not typically authenticate

Hardening Recommendations

  1. Disable unnecessary LOLBins where possible (restrict certutil.exe, mshta.exe, regsvr32.exe usage through AppLocker or WDAC policies)
  2. Implement Privileged Access Workstations (PAWs) for domain administration
  3. Enable credential guard to protect LSASS from memory dumping
  4. Segment networks to limit lateral movement paths
  5. Patch edge devices (VPNs, firewalls, routers) as a top priority
  6. Implement MFA for all remote access and privileged operations

Lessons Learned

For Red Team Operators

  • Pure LOTL operations provide the most realistic assessment of an organization's detection capabilities
  • C2 framework selection should be driven by the engagement's detection testing objectives, not convenience
  • Operational discipline (minimizing noise, blending with normal activity) is more important than technical sophistication
  • New C2 frameworks have a window of reduced detection before the security community develops signatures -- plan accordingly

For Blue Team Defenders

  • Signature-based detection is insufficient against disciplined adversaries using only built-in tools
  • Behavioral baselines and anomaly detection are essential for LOTL detection
  • Comprehensive logging must be in place before an incident occurs -- it cannot be retroactively enabled
  • Network segmentation and zero-trust architecture limit the impact of LOTL lateral movement
  • Regular purple team exercises should specifically include LOTL scenarios

For the Security Industry

  • The Volt Typhoon campaign demonstrated that the most dangerous adversaries do not rely on malware
  • The rapid proliferation of Brute Ratel (cracked within months of release) shows that the Cobalt Strike proliferation pattern is repeatable and accelerating
  • Investment in behavioral detection, anomaly detection, and deception technology is essential for the evolving threat landscape
  • Critical infrastructure organizations need specialized detection capabilities beyond standard enterprise security

Discussion Questions

  1. Volt Typhoon operated for over two years in some environments without detection. What organizational factors enabled such a long dwell time? What changes would most reduce this risk?

  2. If every command Volt Typhoon used was a legitimate system administration tool, how should organizations distinguish between authorized and unauthorized use? Where is the line between security monitoring and privacy intrusion for administrators?

  3. The cracked Brute Ratel version appeared within months of release. Is the commercial C2 framework licensing model fundamentally flawed? How should security tool vendors protect against unauthorized distribution?

  4. CISA recommended disabling unnecessary LOLBins. In practice, how would an organization determine which LOLBins are "necessary" without breaking legitimate workflows? Describe an approach for MedSecure.

  5. Compare Volt Typhoon's LOTL approach to a hypothetical attack using Cobalt Strike. Which would be harder to detect in MedSecure's environment? Which would provide more value as a red team exercise?

Timeline

Date Event
Mid-2021 Volt Typhoon begins infiltrating U.S. critical infrastructure
2022 BRc4 released commercially; cracked version leaks by September
May 2023 Microsoft and Five Eyes intelligence agencies publish Volt Typhoon advisory
June 2023 CISA issues detailed detection and hardening guidance
December 2023 FBI disrupts Volt Typhoon botnet of compromised SOHO routers (KV Botnet)
February 2024 CISA and FBI confirm Volt Typhoon had pre-positioned for disruptive attacks on U.S. infrastructure
2024-2025 Increased industry investment in behavioral detection and LOTL monitoring capabilities

References

  • Microsoft Threat Intelligence. (2023). "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques." Microsoft Security Blog.
  • CISA. (2023). "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection." Joint Cybersecurity Advisory AA23-144A.
  • CISA. (2024). "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure." Joint Cybersecurity Advisory AA24-038A.
  • CrowdStrike. (2023). "Vanguard Panda Analysis." CrowdStrike Intelligence.
  • Nayak, C. (2022). "Brute Ratel C4: A New Red Teaming and Adversary Simulation Tool." BRc4 Documentation.
  • MDSec. (2023). "Nighthawk: Advanced Adversary Simulation." MDSec Product Documentation.
  • FBI. (2024). "FBI Disrupts PRC-Linked Botnet Used for Critical Infrastructure Targeting." FBI Press Release.
  • Mandiant. (2023). "UNC3886: Espionage Group Targeting Edge Devices." Google Cloud Threat Intelligence.