detection.wiki

Detection rules › Sigma

Potential Compromised 3CXDesktopApp Execution

Status
test
Severity
high
Log source
product windows, category process_creation
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects execution of known compromised version of 3CXDesktopApp

MITRE ATT&CK coverage

TacticTechniques
StealthT1218 System Binary Proxy Execution

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Potential Compromised 3CXDesktopApp Execution
id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects execution of known compromised version of 3CXDesktopApp
references:
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2024-11-23
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_hashes:
        Hashes|contains:
            # 3CX Desktop 18.12.407
            - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
            - 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
            - 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
            - 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
            - 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
            - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
            - 'MD5=BB915073385DD16A846DFA318AFA3C19'
            - 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
            - 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
            # 3CX Desktop 18.12.416
            - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
            - 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
            - 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
            - 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
            - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
            - 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
            - 'MD5=9833A4779B69B38E3E51F04E395674C6'
            - 'MD5=704DB9184700481A56E5100FB56496CE'
            - 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
            # 3CXDesktopApp MSI
            - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
            - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
            - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
            - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
            - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
            - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
    selection_pe_1:
        - OriginalFileName: '3CXDesktopApp.exe'
        - Image|endswith: '\3CXDesktopApp.exe'
        - Product: '3CX Desktop App'
    selection_pe_2:
        FileVersion|contains: '18.12.'
    condition: all of selection_pe_* or selection_hashes
falsepositives:
    - Legitimate usage of 3CXDesktopApp
level: high

Stages and Predicates

Stage 0: condition

all of selection_pe_* or selection_hashes

Stage 1: selection_pe_1

selection_pe_1:
    - OriginalFileName: '3CXDesktopApp.exe'
    - Image|endswith: '\3CXDesktopApp.exe'
    - Product: '3CX Desktop App'

Stage 2: selection_pe_2

selection_pe_2:
    FileVersion|contains: '18.12.'

Stage 3: selection_hashes

selection_hashes:
    Hashes|contains:
        - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
        - 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
        - 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
        - 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
        - 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
        - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
        - 'MD5=BB915073385DD16A846DFA318AFA3C19'
        - 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
        - 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
        - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
        - 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
        - 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
        - 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
        - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
        - 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
        - 'MD5=9833A4779B69B38E3E51F04E395674C6'
        - 'MD5=704DB9184700481A56E5100FB56496CE'
        - 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
        - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
        - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
        - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
        - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
        - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
        - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
FileVersionmatch
  • 18.12.
Hashesmatch
  • MD5=08D79E1FFFA244CC0DC61F7D2036ACA9
  • MD5=0EEB1C0133EB4D571178B2D9D14CE3E9
  • MD5=4965EDF659753E3C05D800C6C8A23A7A
  • MD5=704DB9184700481A56E5100FB56496CE
  • MD5=8EE6802F085F7A9DF7E0303E65722DC0
  • MD5=9833A4779B69B38E3E51F04E395674C6
  • MD5=BB915073385DD16A846DFA318AFA3C19
  • MD5=F3D4144860CA10BA60F7EF4D176CC736
  • SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187
  • SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5
  • SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859
  • SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA
  • SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB
  • SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA
  • SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E
  • SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1
  • SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02
  • SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983
  • SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734
  • SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203
  • SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868
  • SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE
  • SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC
  • SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405
Imageends_with
  • \3CXDesktopApp.exe corpus 2 (sigma 2)
OriginalFileNameeq
  • 3CXDesktopApp.exe corpus 2 (sigma 1, splunk 1)
Producteq
  • 3CX Desktop App