false positives will be present for accessing the 3cx[.]com website. remove from the lookup as needed.

T1195.002
network
splunk

Techniques

T1195.002

Sample rules

3CX Supply Chain Attack Network Indicators

source: splunk
technicques:
- T1195.002

Description

The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises.

Detection logic


| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query 
| `drop_dm_object_name(DNS)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC 
| search isIOC=true 
| `3cx_supply_chain_attack_network_indicators_filter`