Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
detection:
selection:
Hashes|contains:
# ffmpeg.dll
- 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
- 'SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429'
- 'MD5=74BC2D0B6680FAA1A5A76B27E5479CBC'
# d3dcompiler_47.dll
- 'SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
- 'SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E'
- 'MD5=82187AD3F0C6C225E2FBA0C867280CC9'
# Inner object from ffmpeg.dll
- 'SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
- 'SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30'
- 'MD5=11BC82A9BD8297BD0823BCE5D6202082'
# ICONIC Stealer payload
- 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
- 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF'
- 'MD5=7FAEA2B01796B80D180399040BB69835'
condition: selectionFalse positives are unlikely for most environments. High confidence detection.
Tactics
Other
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Detects similar activity. Both rules may fire on overlapping events.
Potential Compromised 3CXDesktopApp ICO C2 File Download
Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
Detects similar activity. Both rules may fire on overlapping events.
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Detects similar activity. Both rules may fire on overlapping events.
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Detects similar activity. Both rules may fire on overlapping events.
Potential Compromised 3CXDesktopApp Execution
Detects execution of known compromised version of 3CXDesktopApp
Detects similar activity. Both rules may fire on overlapping events.
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Detects similar activity. Both rules may fire on overlapping events.
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
Detects similar activity. Both rules may fire on overlapping events.