Detection rules › Splunk
3CXDesktopApp.exe Execution (EDR)
Malicious activity has been detected on March 29, 2023, originating from a legitimate and signed binary called 3CXDesktopApp, which is a softphone application from 3CX. This malicious activity includes beaconing to infrastructure controlled by the attackers, deployment of additional payloads in the second stage, and in a few cases, direct interaction by the attackers with the system
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Execution | T1204.002 User Execution: Malicious File |
| Stealth | T1218 System Binary Proxy Execution |
References
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
- https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '17332.28225'
title: 3CXDesktopApp.exe Execution
description: 'Malicious activity has been detected on March 29, 2023, originating
from a legitimate and signed binary called 3CXDesktopApp, which is a softphone application
from 3CX. This malicious activity includes beaconing to infrastructure controlled
by the attackers, deployment of additional payloads in the second stage, and in
a few cases, direct interaction by the attackers with the system. - Campaign: SmoothOperator
- Threat Actor Association: Lazarus Group (aka Labyrinth Chollima)'
logic_format: Splunk
logic: ' `get_endpoint_data` `get_endpoint_data_edr` ((event_type IN ("childproc","netconn","proc"))
OR (TERM(ProcessRollup2) OR Type=Process) OR TERM(DeviceProcessEvents)) ("3CXDesktopApp.exe")
OR TERM(3CX Desktop App) | table _time, host, user signature_id, process, process_*,
parent_* | bin span=1s | stats values(*) as * by _time, host `hec_collect`'
techniques:
- defense-evasion:system binary proxy execution
- initial-access:supply chain compromise
- execution:user execution:malicious file
technique_id:
- T1218
- T1195
- T1204.002
data_category:
- EDR Logs
- Process command-line parameters
references:
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
- https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_edr` ((event_type IN ("childproc","netconn","proc")) OR (TERM(ProcessRollup2) OR Type=Process) OR TERM(DeviceProcessEvents)) ("3CXDesktopApp.exe") OR TERM(3CX Desktop App)
Stage 2: table
| table _time, host, user signature_id, process, process_*, parent_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host `hec_collect`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type | in |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | ProcessRollup2 |
| 1 | TERM |
| 1 | DeviceProcessEvents |
| 1 | "3CXDesktopApp.exe" |
| 1 | "3CX Desktop App" |