Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

EnterpriseG1017GroupObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Volt Typhoon matters because ATT&CK describes it as a PRC state-sponsored group focused on U.S. critical infrastructure and assessed pre-positioning for possible disruptive or destructive operations against OT. For leaders, the key issue is not a single malware family; it is whether the organization can detect stealthy hands-on-keyboard activity, stolen credential use, web shells, and living-off-the-land administration tools before access reaches critical operations.

Executive priority

Treat this as a resilience and governance question for critical services, not only a SOC alerting problem. Executives should ask whether internet-facing edge devices, SD-WAN/managed service dependencies, domain controllers, and OT-adjacent pathways are inventoried, monitored, and included in incident response playbooks. The relationship context highlights credential capture, compromised SOHO infrastructure used to obscure traffic, and native Windows tools, so budget and audit evidence should prioritize identity security, edge-device lifecycle management, domain controller protection, and logging coverage across IT-to-OT boundaries.

Technical view

ATT&CK provides no group-level detection text or platforms, but relationships show use of Windows credential and administration tooling such as Mimikatz, PsExec, Net, Reg, cmd, netsh, certutil, Nltest, Wevtutil, Impacket, and discovery utilities. Related techniques include LSASS Memory, NTDS, Data from Local System, Direct Volume Access, and System Service Discovery. Detection teams should validate behavior-based coverage for credential access, domain discovery, remote execution, event log interrogation, proxy tooling such as FRP, and web shell activity tied to network devices such as Versa Director in the related campaign context.

Likely telemetry

  • Endpoint process creation with command line, parent process, user, host, and integrity context for Windows native utilities and admin tools
  • Authentication, Kerberos, SMB/RPC, remote service creation, and domain controller security logs
  • Directory services and domain controller telemetry relevant to NTDS access or unusual credential material access
  • EDR or host telemetry for LSASS access attempts, credential dumping tools, and direct volume access indicators
  • Network flow, firewall, proxy, VPN, and SD-WAN/controller logs showing unusual administrative access or proxy patterns

Detection direction

  • Prioritize correlated behavior over static indicators: edge-device access or web shell evidence followed by credential collection, discovery commands, remote execution, and lateral movement attempts is more meaningful than any single utility invocation.
  • Tune carefully for false positives because many related tools are legitimate administrator utilities. Baseline where PsExec, Net, Reg, cmd, netsh, certutil, Nltest, Wevtutil, and Impacket-like activity are expected, then alert on unusual users, hosts, time windows, destinations, or sequences.
  • Validate domain controller and identity telemetry specifically; relationships to LSASS Memory and NTDS make credential access coverage a central detection requirement.
  • Check blind spots around internet-facing network devices, SD-WAN controllers, MSP/ISP dependencies, SOHO infrastructure, and OT-adjacent routing paths, where EDR-level visibility may not exist.
  • Include campaign context in hunts: KV Botnet Activity used compromised SOHO equipment to obscure victim connectivity, and Versa Director Zero Day Exploitation involved credential capture from compromised Versa Director servers.

Mitigation priorities

  • Start with exposure reduction: inventory and harden internet-facing edge devices, SD-WAN controllers, network devices, and retire or isolate end-of-life SOHO equipment where applicable.
  • Protect identity infrastructure: restrict administrative access, reduce standing privilege, monitor domain controllers, and limit conditions that allow LSASS or NTDS credential material exposure.
  • Segment and control IT-to-OT pathways so compromised enterprise credentials or remote administration paths cannot easily reach operational technology assets.
  • Constrain and monitor legitimate administration tooling rather than assuming it can be blocked outright; require accountable administrative workflows and centralized logging.
  • Ensure incident response playbooks cover stealthy living-off-the-land intrusions, credential theft, web shells, proxy infrastructure, and third-party or managed-service access paths.
Analyst notes and limits

The supplied ATT&CK object is a group profile with rich relationship context but no official detection guidance and no group-level platforms or tactics. The strongest defensive value comes from combining the official description with linked campaigns, software, and techniques: stealth, stolen credentials, web shells, LOTL binaries, hands-on-keyboard activity, compromised SOHO proxying, and Versa Director exploitation context.

This take does not assess current exposure or active exploitation in any specific environment. Local asset inventory, identity architecture, logging coverage, third-party connectivity, and OT network design are required to determine actual risk and detection coverage. ATT&CK relationship descriptions are partially truncated in the supplied data, so conclusions are limited to the provided fields.

Official MITRE ATT&CK definition

Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

69 rows
Domain ID Name Relationship / procedure
Enterprise T1046 Network Service Discovery

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1083 File and Directory Discovery

Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1591.004 Identify Roles Sub-technique

Volt Typhoon has identified key network and IT staff members pre-compromise at targeted organizations.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1057 Process Discovery

Volt Typhoon has enumerated running processes on targeted systems including through the use of Tasklist.CitationMicrosoft Volt Typhoon May 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1584.004 Server Sub-technique

Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1090 Proxy

Volt Typhoon has used compromised devices and customized versions of open source tools such as FRP (Fast Reverse Proxy), Earthworm, and Impacket to proxy network traffic.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1518 Software Discovery

Volt Typhoon has queried the Registry on compromised systems for information on installed software.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1078 Valid Accounts

Volt Typhoon relies primarily on valid credentials for persistence.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1584.008 Network Devices Sub-technique

Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023
Enterprise T1056.001 Keylogging Sub-technique

Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1036.008 Masquerade File Type Sub-technique

Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1059.003 Windows Command Shell Sub-technique

Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1190 Exploit Public-Facing Application

Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1555 Credentials from Password Stores

Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023
Enterprise T1074 Data Staged

Volt Typhoon has staged collected data in password-protected archives.CitationMicrosoft Volt Typhoon May 2023
Enterprise T1590 Gather Victim Network Information

Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization’s network.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1560.001 Archive via Utility Sub-technique

Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1124 System Time Discovery

Volt Typhoon has obtained the victim's system timezone.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1069.002 Domain Groups Sub-technique

Volt Typhoon has run `net group` in compromised environments to discover domain groups.CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1016 System Network Configuration Discovery

Volt Typhoon has executed multiple commands to enumerate network topology and settings including `ipconfig`, `netsh interface firewall show all`, and `netsh interface portproxy show all`.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023
Enterprise T1018 Remote System Discovery

Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks.CitationMicrosoft Volt Typhoon May 2023CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1047 Windows Management Instrumentation

Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1133 External Remote Services

Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1140 Deobfuscate/Decode Files or Information

Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation via certutil.CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1570 Lateral Tool Transfer

Volt Typhoon has copied web shells between servers in targeted environments.CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1593 Search Open Websites/Domains

Volt Typhoon has conducted pre-compromise web searches for victim information.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1680 Local Storage Discovery

Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1589.002 Email Addresses Sub-technique

Volt Typhoon has targeted the personal emails of key network and IT staff at victim organizations.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1497.001 System Checks Sub-technique

Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.CitationMicrosoft Volt Typhoon May 2023
Enterprise T1003.003 NTDS Sub-technique

Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1027.002 Software Packing Sub-technique

Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1003.001 LSASS Memory Sub-technique

Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.CitationMicrosoft Volt Typhoon May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1584.005 Botnet Sub-technique

Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1592 Gather Victim Host Information

Volt Typhoon has conducted pre-compromise reconnaissance for victim host information.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1049 System Network Connections Discovery

Volt Typhoon has used `netstat -ano` on compromised hosts to enumerate network connections.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1087.001 Local Account Sub-technique

Volt Typhoon has executed `net user` and `quser` to enumerate local account information.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1217 Browser Information Discovery

Volt Typhoon has targeted the browsing history of network administrators.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1059.001 PowerShell Sub-technique

Volt Typhoon has used PowerShell including for remote system discovery.CitationMicrosoft Volt Typhoon May 2023CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1654 Log Enumeration

Volt Typhoon has used `wevtutil.exe` and the PowerShell command `Get-EventLog security` to enumerate Windows logs to search for successful logons.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1068 Exploitation for Privilege Escalation

Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1113 Screen Capture

Volt Typhoon has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1090.001 Internal Proxy Sub-technique

Volt Typhoon has used the built-in netsh `port proxy` command to create proxies on compromised systems to facilitate access.CitationMicrosoft Volt Typhoon May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1587.004 Exploits Sub-technique

Volt Typhoon has exploited zero-day vulnerabilities for initial access.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1090.003 Multi-hop Proxy Sub-technique

Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1594 Search Victim-Owned Websites

Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1033 System Owner/User Discovery

Volt Typhoon has used public tools and executed the PowerShell command `Get-EventLog security -instanceid 4624` to identify associated user and computer account names.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1112 Modify Registry

Volt Typhoon has used `netsh` to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1505.003 Web Shell Sub-technique

Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.CitationSecureworks BRONZE SILHOUETTE May 2023
Enterprise T1218 System Binary Proxy Execution

Volt Typhoon has used native tools and processes including living off the land binaries or “LOLBins" to maintain and expand access to the victim networks.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1059.004 Unix Shell Sub-technique

Volt Typhoon has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can leverage command shells including Z Shell (zsh).CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1007 System Service Discovery

Volt Typhoon has used `net start` to list running services.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1069 Permission Groups Discovery

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1584.003 Virtual Private Server Sub-technique

Volt Typhoon has compromised Virtual Private Servers (VPS) to proxy C2 traffic.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1591 Gather Victim Org Information

Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1590.004 Network Topology Sub-technique

Volt Typhoon has conducted extensive reconnaissance of victim networks including identifying network topologies.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1010 Application Window Discovery

Volt Typhoon has collected window title information from compromised systems.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1069.001 Local Groups Sub-technique

Volt Typhoon has run `net localgroup administrators` in compromised environments to enumerate accounts.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023
Enterprise T1120 Peripheral Device Discovery

Volt Typhoon has obtained victim's screen dimension and display device information.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1070.004 File Deletion Sub-technique

Volt Typhoon has run `rd /S` to delete their working directories and deleted systeminfo.dat from `C:\Users\Public\Documentsfiles`.CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1588.006 Vulnerabilities Sub-technique

Volt Typhoon has used publicly available exploit code for initial access.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1105 Ingress Tool Transfer

Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1552 Unsecured Credentials

Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1078.002 Domain Accounts Sub-technique

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.CitationMicrosoft Volt Typhoon May 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Enterprise T1005 Data from Local System

Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information.CitationJoint Cybersecurity Advisory Volt Typhoon June 2023CitationSecureworks BRONZE SILHOUETTE May 2023CitationCISA AA24-038A PRC Critical Infrastructure February 2024
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0108: netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

Windows
Tool Enterprise

S0029: PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[1][2]

Windows
Tool Enterprise

S0100: ipconfig

ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [1]

Tool Enterprise

S0645: Wevtutil

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[1]

Windows
Tool Enterprise

S0057: Tasklist

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [1]

Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0097: Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

Tool Enterprise

S0357: Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

LinuxmacOSWindows
Campaign Enterprise

C0039: Versa Director Zero Day Exploitation

Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[1]

Relationship explorer

All related ATT&CK context

uses · Technique T1046: Network Service Discovery Enterprise uses · Tool S0108: netsh Enterprise uses · Tool S0029: PsExec Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1591.004: Identify Roles Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Technique T1584.004: Server Enterprise uses · Technique T1090: Proxy Enterprise uses · Technique T1518: Software Discovery Enterprise uses · Tool S0100: ipconfig Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Technique T1584.008: Network Devices Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1036.008: Masquerade File Type Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1555: Credentials from Password Stores Enterprise uses · Technique T1074: Data Staged Enterprise uses · Tool S0645: Wevtutil Enterprise uses · Technique T1590: Gather Victim Network Information Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1124: System Time Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
60c198af494ee240...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 60c198af494e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CISA AA24-038A PRC Critical Infrastructure February 2024

    CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.

    Open source URL
  2. [2]
    Microsoft Volt Typhoon May 2023

    Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.

    Open source URL
  3. [3]
    Joint Cybersecurity Advisory Volt Typhoon June 2023

    NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.

    Open source URL
  4. [4]
    Secureworks BRONZE SILHOUETTE May 2023

    Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.

    Open source URL
  5. [5]
    DOJ KVBotnet 2024

    US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.

    Open source URL
  6. [6]
    Dragos 2025 Year in Review

    Dragos. (2026, February). 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT . Retrieved April 26, 2026.

    Open source URL
  7. [7]
    BRONZE SILHOUETTE

    (Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

  8. [8]
    Cloudflare 2026 Threat Report New Threat Actors March 2026

    Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.

    Open source URL
  9. [9]
    DEV-0391

    (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

  10. [10]
    DazedToad

    (Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)

  11. [11]
    Insidious Taurus

    (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

  12. [12]
    UNC3236

    (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

  13. [13]
    Vanguard Panda

    (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

  14. [14]
    Voltzite

    (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

  15. [15]
    mitre-attack G1017
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use