Techniques
Sample rules
Windows Vulnerable 3CX Software
- source: splunk
- technicques:
- T1195.002
Description
The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.
Detection logic
`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_vulnerable_3cx_software_filter`