false positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.

T1195.002
endpoint
splunk

Techniques

T1195.002

Sample rules

Windows Vulnerable 3CX Software

source: splunk
technicques:
- T1195.002

Description

The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.

Detection logic

`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe)  FileVersion=18.12.* 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `windows_vulnerable_3cx_software_filter`