Threat Hunt - Volt Typhoon
Hypothesis
Based on the advisory from the ACSC, WA Cyber Security Unit (DGOV Technical) and observations detailed by Microsoft on the Volt Typhoon's methods, the hypothesis for this threat hunt revolves around the likelihood that the Volt Typhoon threat group is actively exploiting critical infrastructure systems within our monitored environments by employing living-off-the-land techniques. These techniques include the creation of domain controller installation media, establishment of internal proxies, and use of custom FRP executables to avoid detection and maintain persistence.