Stairwell vs. Volt Typhoon
… and whatever’s next
I read through yesterday’s big Microsoft / National Security Agency release on state sponsored actors and after some collaborative brainstorming with Mike Wiacek, Chris St.Myers, and Daniel Mayer — I wanted to outline some of the TTPs that Stairwell is uniquely positioned to help organizations with — not just on this latest threat, but on the next one too.
- first and foremost, a big part of the Stairwell automation solution is the instant automated “clean bill of health report” — the same day the report is released, Stairwell customers can get a notice (via API or email) that your organization either is not impacted, or that you ARE — and if so, exactly when and exactly where.
But to dig in more technically to the specific TTP’s outlined in the very excellent report from Microsoft and the full report from the NSA/CSS:
- the actor was using four different powershell or python scripts once on a system — stairwell finds every instance of those, even when the actor was deleting them after using them. Despite using lolbins they’re still landing a powershell or python script on the machine and we grab a copy / record every instance.
(Secretsdump.py, wmiexec.py, Invoke-NinjaCopy (PS), DSInternals (PS)
- the actor was using mimikatz, which is obviously a common TTP but again, stairwell tracks every version of mimikatz hitting a system, even for a minute, including any variants
- despite being mostly lolbins, between the two versions of the reports, there are still thirty (30) sha256 indicator hashes, so one sub-second query in stairwell tells you instantly if those hashes have ever been in your environment…
- and of course, we’re auto-finding variants of the hashes. one of the 11 hashes I spot checked has 12 (!) variants our neural net found, including three that are rated as 100% matches, so you’re not just looking for the exact sha256 you’re finding other variants of “Earthworm” instantaneously by searching for one of them.
- the report has four yara rules looking for signatures inside the threat actor’s tools — you can put those yara rules into stairwell and run them at hyper speed over all relevant files that have EVER been in your environment, not just currently there
- we are pulling in .jsp files, the threat actor was dropping jsp webshells as part of their process, so we find all of those webshells — not just those currently there, but especially any that were used and deleted.
- if the threat actor was using lolbins in different directories, as is very typical, we find all instances of a legit lolbin hash located in non-standard filepaths with a single query in Stairwell, by excluding the default filepath from the search
- and finally, the threat actors, like a lot of current ones — were using legit remote access tools that don’t flag on traditional antivirus. Not that Stairwell is the only solution that can run these types of queries to find all remote access tools — Tanium, for one, or Crowdstrike for another — but most others are more expensive, or more difficult, or more taxing on the systems being queried — we make it super easy to do so, and we also find any variants of the tools (for example, if the threat actor creates a null byte padded version of a non-malicious remote access tool, that still might avoid traditional antivirus or EDR detection, but wouldn’t be able to evade Stairwell).
—
About Stairwell:
Stairwell is a cybersecurity forge that elevates the ordinary with the flame of the exceptional. We enhance your team’s abilities, allowing even the smallest units to tower over sophisticated adversaries. Believing in the potential heroes within your team today, Stairwell ignites your inherent potential, enabling you to focus fearlessly on what your business does best.
Learn more at Stairwell.com
