LoFP / false positives will be present for accessing the 3cx[.]com website. remove from the lookup as needed.

Techniques

• T1195.002

Sample rules

3CX Supply Chain Attack Network Indicators

• source: splunk
• technicques:
  • T1195.002

Description

The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.

Detection logic

| tstats `security_content_summariesonly` min(_time) as firstTime from datamodel=Network_Resolution by DNS.answer DNS.answer_count DNS.query DNS.query_count DNS.reply_code_id DNS.src DNS.vendor_product 
| `drop_dm_object_name(DNS)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC 
| search isIOC=true 
| `3cx_supply_chain_attack_network_indicators_filter`