Vectra AI is named a Leader in the 2025 Gartner Magic Quadrant for Network Detection and Response (NDR). >
NEW

Vectra AI is named a Leader in the 2025 Gartner Magic Quadrant for Network Detection and Response (NDR).    Download Report. >

Vectra AI、2025年ガートナーのネットワーク検知とレスポンス (NDR) のマジック・クアドラントにおいてリーダーの1社に
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Video

Vectra AI Threat Briefing: Salt Typhoon

Vectra AI Threat Briefing: Salt Typhoon
Select language to download
Download
Access
Video
Can't see the form?

We noticed you may not be able to see our form. This occurs when privacy tools (which we fully support) block third-party scripts.

Firefox users:

Click the shield icon in your address bar → "Turn off Tracking Protection for this site"

Chrome with privacy extensions:

Temporarily allow this site in your ad blocker or privacy extension settings

Prefer not to change settings?

Email us directly at support@vectra.ai or info@vectra.ai

We use HubSpot forms for functionality, not tracking. Your privacy matters to us—that's why we're giving you these options.

Thank you for downloading!
Please access your free offer below.
Download
Download
Download in French
Download in German
Download in Spanish
Download in Japanese
Download in Italian

TL;DW: How Does Salt Typhoon Operate?

Salt Typhoon follows a structured attack sequence using built-in Windows tools to avoid detection. Here’s a breakdown of their tactics and the commands they use.

1. Initial Access

Salt Typhoon primarily exploits public-facing servers with known vulnerabilities. Instead of relying on phishing, they prefer N-day and zero-day exploits to gain remote code execution (RCE).

2. Execution & Persistence

Once they gain access, they execute malicious payloads and ensure persistence using Windows tools.

PowerShell Execution:

They use PowerShell to execute scripts without restrictions:

powershell -ex bypass -c "<password>"
  • -ex bypass: Overrides execution policy to allow the script to run.
  • <password>: Key used to decrypt the script, which is usually encrypted.

Registry Persistence:

To ensure malware runs every time a user logs in, they add a registry key:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "<malware_name>" /t REG_SZ /d "<malware_path>" /f
  • "HKCU\Software\Microsoft\Windows\CurrentVersion\Run": Registry location for auto-start programs.
  • REG_SZ: Specifies a string value (the malware path).
  • /f: Forces execution without confirmation.

3. Reconnaissance

Salt Typhoon gathers intelligence about the environment before escalating privileges.

Using WMIC (Windows Management Instrumentation Command-line)

wmic process get name,processid,commandline
  • Lists all running processes and command-line arguments.

Using net group to Identify Domain Admins

cmd /c "net group 'domain admins' /domain"
  • Queries Active Directory for domain admin accounts.
  • /domain: Ensures the query applies to the Active Directory domain instead of just the local machine.

4. Credential Theft & Privilege Escalation

After reconnaissance, they escalate privileges and steal credentials.

Deploying Credential Theft Tools

They install tools like:

  • Mimikatz (extracts credentials from memory).
  • Keyloggers (records keystrokes).
  • Credential Dumping utilities.

Privilege Escalation via Cobalt Strike

They deploy Cobalt Strike, a legitimate red teaming tool, to gain SYSTEM privileges and move deeper into the network.

5. Lateral Movement

Salt Typhoon spreads across the network using various Windows utilities.

Copying a Batch File to Another Machine

copy \\<target_ip>\C$\Windows\Temp\malware.bat
  • Uses \\<target_ip> to specify a shared folder on another machine.
  • Places a batch script (.bat) to be executed remotely.

Executing the Copied Script via WMIC

wmic /node:<target_ip> process call create "cmd /c C:\Windows\Temp\malware.bat"
  • /node:<target_ip>: Specifies the target machine.
  • process call create: Runs a process remotely.
  • cmd /c: Executes the copied batch file.

Creating a Backdoor Using Windows Services (sc create)

sc \\<target_ip> create VGAuthtools binpath= "C:\Windows\System32\installutil.exe C:\Windows\Temp\malware.exe" start= auto type= own
  • sc: Windows service control utility.
  • \\<target_ip>: Creates the service remotely on another machine.
  • VGAuthtools: Disguises malware as a legitimate tool.
  • binpath: Uses installutil.exe (a legitimate Windows tool) to execute the malicious payload.
  • start= auto: Ensures persistence by restarting the malware every time the machine reboots.

6. Command & Control (C2) + Data Exfiltration

Salt Typhoon establishes persistent communication with their C2 servers.

Cobalt Strike & Demodex Malware

  • Sends "heartbeats" to signal compromised machines.
  • Receives new instructions and updates.
  • Exfiltrates stolen credentials and sensitive data.

Abusing Public Cloud Services for Exfiltration

Salt Typhoon avoids detection by using trusted platforms to upload stolen data:

  • AnonFiles
  • File.io
  • GitHub
  • Gmail

7. Ongoing Espionage & Impact

Salt Typhoon continuously monitors compromised networks and steals sensitive data over an extended period.

    ----

    How Can Vectra AI Detect These Attacks?

    Vectra AI’s platform focuses on real attack behaviors, not just known threats. This allows it to detect Salt Typhoon-like activity even when attackers use built-in Windows tools.

    • Unusual remote access & execution
    • Suspicious Kerberos activity
    • Privilege anomalies & SMB brute-force attempts
    • Hidden tunnels & suspicious PowerShell activity

    Learn more about our AI-driven detections or try our self-guided demo.

    Trusted by experts and enterprises worldwide

    FAQs