/
hunting_3cxdesktopapp_software.yml
84 lines (84 loc) · 3.81 KB
/
hunting_3cxdesktopapp_software.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Hunting 3CXDesktopApp Software
id: 553d0429-1a1c-44bf-b3f5-a8513deb9ee5
version: 1
date: '2023-03-30'
author: Michael Haag, Splunk
type: Hunting
status: production
data_source:
- Sysmon EventID 1
description: The hunting analytic outlined below is designed to detect any version
of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac
or Windows systems. It is important to note that this particular analytic employs
the Endpoint datamodel Processes node, which means that the file version information
is not provided. Recently, 3CX has identified a vulnerability specifically in versions
18.12.407 and 18.12.416 of the desktop app.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe
OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name
Processes.process_name Processes.original_file_name Processes.process Processes.process_id
Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: There may be false positives generated due to the reliance
on version numbers for identification purposes. Despite this limitation, the primary
goal of this approach is to aid in the detection of the software within the environment.
references:
- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898
- https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/
tags:
analytic_story:
- 3CX Supply Chain Attack
asset_type: Endpoint
confidence: 50
cve:
- CVE-2023-29059
impact: 80
message: An instance $process_name$ was identified on endpoint $dest$.
mitre_attack_id:
- T1195.002
observable:
- name: dest
type: Hostname
role:
- Victim
- name: process_name
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 40
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog