feat: new compromised 3cx rules

rules/web/proxy_generic/proxy_malware_3cx_compromise.yml

@@ -0,0 +1,47 @@
+title: Potential 3CX 3CXDesktopApp Compromise Beaconing Activity - Proxy
+id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26
+related:
+    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation
+      type: similar
+    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # dns
+      type: similar
+    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection
+      type: similar
+status: experimental
+description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
+references:
+    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/03/29
+tags:
+    - attack.command_and_control
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns:
+            - 'akamaicontainer.com'
+            - 'akamaitechcloudservices.com'
+            - 'azuredeploystore.com'
+            - 'azureonlinecloud.com'
+            - 'azureonlinestorage.com'
+            - 'dunamistrd.com'
+            - 'glcloudservice.com'
+            - 'journalide.org'
+            - 'msedgepackageinfo.com'
+            - 'msstorageazure.com'
+            - 'msstorageboxes.com'
+            - 'officeaddons.com'
+            - 'officestoragebox.com'
+            - 'pbxcloudeservices.com'
+            - 'pbxphonenetwork.com'
+            - 'pbxsources.com'
+            - 'qwepoi123098.com'
+            - 'sbmsa.wiki'
+            - 'sourceslabs.com'
+            - 'visualstudiofactory.com'
+            - 'zacharryblogs.com'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/dns_query/dns_query_win_malware_3cx_compromise.yml

@@ -0,0 +1,48 @@
+title: Potential 3CX 3CXDesktopApp Compromise Beaconing Activity - DNS
+id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8
+related:
+    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation
+      type: similar
+    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy
+      type: similar
+    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection
+      type: similar
+status: experimental
+description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
+references:
+    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/03/29
+tags:
+    - attack.command_and_control
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName|contains:
+            - 'akamaicontainer.com'
+            - 'akamaitechcloudservices.com'
+            - 'azuredeploystore.com'
+            - 'azureonlinecloud.com'
+            - 'azureonlinestorage.com'
+            - 'dunamistrd.com'
+            - 'glcloudservice.com'
+            - 'journalide.org'
+            - 'msedgepackageinfo.com'
+            - 'msstorageazure.com'
+            - 'msstorageboxes.com'
+            - 'officeaddons.com'
+            - 'officestoragebox.com'
+            - 'pbxcloudeservices.com'
+            - 'pbxphonenetwork.com'
+            - 'pbxsources.com'
+            - 'qwepoi123098.com'
+            - 'sbmsa.wiki'
+            - 'sourceslabs.com'
+            - 'visualstudiofactory.com'
+            - 'zacharryblogs.com'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/network_connection/net_connection_win_malware_3cx_compromise.yml

@@ -0,0 +1,49 @@
+title: Potential 3CX 3CXDesktopApp Compromise Beaconing Activity
+id: 51eecf75-d069-43c7-9ea2-63f75499edd4
+related:
+    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation
+      type: similar
+    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy
+      type: similar
+    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # dns
+      type: similar
+status: experimental
+description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
+references:
+    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/03/29
+tags:
+    - attack.command_and_control
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\3CXDesktopApp.exe'
+        DestinationHostname:
+            - 'akamaicontainer.com'
+            - 'akamaitechcloudservices.com'
+            - 'azuredeploystore.com'
+            - 'azureonlinecloud.com'
+            - 'azureonlinestorage.com'
+            - 'dunamistrd.com'
+            - 'glcloudservice.com'
+            - 'journalide.org'
+            - 'msedgepackageinfo.com'
+            - 'msstorageazure.com'
+            - 'msstorageboxes.com'
+            - 'officeaddons.com'
+            - 'officestoragebox.com'
+            - 'pbxcloudeservices.com'
+            - 'pbxphonenetwork.com'
+            - 'pbxsources.com'
+            - 'qwepoi123098.com'
+            - 'sbmsa.wiki'
+            - 'sourceslabs.com'
+            - 'visualstudiofactory.com'
+            - 'zacharryblogs.com'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_malware_3cx_compromise.yml

@@ -0,0 +1,56 @@
+title: Potential Compromised 3CXDesktopApp Activity
+id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
+related:
+    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy
+      type: similar
+    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # dns
+      type: similar
+    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection
+      type: similar
+status: experimental
+description: Detects execution of known compromised version of 3CXDesktopApp
+references:
+    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/03/29
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_hashes_1:
+        Hashes|contains:
+            - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
+            - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
+            - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
+            - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
+            - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
+            - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
+            - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
+            - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
+    selection_hashes_2:
+        - sha256:
+            - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
+            - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
+            - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
+            - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
+        - sha1:
+            - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
+            - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
+            - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
+            - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
+    selection_pe_1:
+        - OriginalFileName: '3CXDesktopApp.exe'
+        - Image|endswith: '\3CXDesktopApp.exe'
+        - Product: '3CX Desktop App'
+    selection_pe_2:
+        FileVersion|contains:
+            - '18.12.407'
+            - '18.12.416'
+    condition: all of selection_pe_* or 1 of selection_hashes_*
+falsepositives:
+    - Legitimate usage of 3CXDesktopApp
+level: high