Potential Compromised 3CXDesktopApp Execution

calendar Feb 1, 2024 · attack.defense_evasion attack.t1218 attack.execution detection.emerging_threats  ·
Share on: linkedin copy

Detects execution of known compromised version of 3CXDesktopApp

Sigma rule (View on GitHub)

  1title: Potential Compromised 3CXDesktopApp Execution
  2id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
  3related:
  4    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
  5      type: similar
  6    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
  7      type: similar
  8    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
  9      type: similar
 10    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
 11      type: similar
 12    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
 13      type: similar
 14    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
 15      type: similar
 16    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
 17      type: similar
 18status: test
 19description: Detects execution of known compromised version of 3CXDesktopApp
 20references:
 21    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
 22author: Nasreddine Bencherchali (Nextron Systems)
 23date: 2023/03/29
 24modified: 2023/03/31
 25tags:
 26    - attack.defense_evasion
 27    - attack.t1218
 28    - attack.execution
 29    - detection.emerging_threats
 30logsource:
 31    category: process_creation
 32    product: windows
 33detection:
 34    selection_hashes_1:
 35        Hashes|contains:
 36            # 3CX Desktop 18.12.407
 37            - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
 38            - 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
 39            - 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
 40            - 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
 41            - 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
 42            - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
 43            - 'MD5=BB915073385DD16A846DFA318AFA3C19'
 44            - 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
 45            - 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
 46            # 3CX Desktop 18.12.416
 47            - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
 48            - 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
 49            - 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
 50            - 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
 51            - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
 52            - 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
 53            - 'MD5=9833A4779B69B38E3E51F04E395674C6'
 54            - 'MD5=704DB9184700481A56E5100FB56496CE'
 55            - 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
 56            # 3CXDesktopApp MSI
 57            - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
 58            - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
 59            - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
 60            - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
 61            - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
 62            - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
 63    selection_hashes_2:
 64        - sha256:
 65              - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
 66              - '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
 67              - 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
 68              - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
 69              - '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
 70              - 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
 71              - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
 72              - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
 73        - sha1:
 74              - '480DC408EF50BE69EBCF84B95750F7E93A8A1859'
 75              - '3B43A5D8B83C637D00D769660D01333E88F5A187'
 76              - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
 77              - 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
 78              - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
 79              - '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
 80              - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
 81              - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
 82        - md5:
 83              - 'BB915073385DD16A846DFA318AFA3C19'
 84              - '08D79E1FFFA244CC0DC61F7D2036ACA9'
 85              - '4965EDF659753E3C05D800C6C8A23A7A'
 86              - '9833A4779B69B38E3E51F04E395674C6'
 87              - '704DB9184700481A56E5100FB56496CE'
 88              - '8EE6802F085F7A9DF7E0303E65722DC0'
 89              - 'F3D4144860CA10BA60F7EF4D176CC736'
 90              - '0EEB1C0133EB4D571178B2D9D14CE3E9'
 91    selection_pe_1:
 92        - OriginalFileName: '3CXDesktopApp.exe'
 93        - Image|endswith: '\3CXDesktopApp.exe'
 94        - Product: '3CX Desktop App'
 95    selection_pe_2:
 96        FileVersion|contains: '18.12.'
 97    condition: all of selection_pe_* or 1 of selection_hashes_*
 98falsepositives:
 99    - Legitimate usage of 3CXDesktopApp
100level: high

References

Related rules

to-top