LoFP LoFP / false positives will be present for accessing the 3cx[.]com website. remove from the lookup as needed.

Techniques

Sample rules

3CX Supply Chain Attack Network Indicators

Description

The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime from datamodel=Network_Resolution by DNS.answer DNS.answer_count DNS.query DNS.query_count DNS.reply_code_id DNS.src DNS.vendor_product 
| `drop_dm_object_name(DNS)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC 
| search isIOC=true 
| `3cx_supply_chain_attack_network_indicators_filter`