https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537024#M3987 <P>This is more from how people are hunting with different EDR tools, so just throwing out something with XQL to the community which might be helpful for us all:</P> <P>&nbsp;</P> <P>Note: All of the below queries are created from an environment which does not uses 3CX so correct where possible guys.</P> <P>&nbsp;</P> <P>Query 1: Monitor general Public IP address communication form 3CX Desktop App to Internet: (Gotcha: Don't exclude your Proxy IP from Private IP filter list)</P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | preset = network_story | filter actor_process_image_name = "3cxdesktopapp.exe" or actor_process_image_name contains "3cx desktop app" | filter action_remote_ip != null | filter incidr(action_remote_ip,"127.0.0.0/8") = false | filter incidr(action_remote_ip,"10.0.0.0/8") = false | filter incidr(action_remote_ip,"192.168.0.0/16") = false | filter incidr(action_remote_ip,"172.16.0.0/12") = false | filter incidr(action_remote_ip,"169.254.0.0/16") = false | filter incidr(action_remote_ip,"224.0.0.0/4") = false | filter incidr(action_remote_ip,"255.255.255.255/32") = false | iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Query 2: Hunt Suspicious Domains According to Threat Intel Reports</P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | preset = network_story | filter dst_action_external_hostname in ("akamaicontainer.com","akamaitechcloudservices.com","azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org","msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com","visualstudiofactory.com","zacharryblogs.com") | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname as Domain_Name, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time </LI-CODE> <P>&nbsp;</P> <P>&nbsp;&nbsp;</P> <P>Query 3: Find if 3CX Desktop Process Ran in the Environment where Host Inventory is Not available:</P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | preset = xdr_process | filter action_process_image_name in ("3cxdesktopapp.exe", "*3cx desktop app*") //Probably last one is for MacOS "not sure about that as we do not use it so please correct if it is incorrect" | fields agent_hostname as Host, agent_ip_addresses as IP_Addr, action_process_image_name as Process, action_process_image_command_line as Command, action_process_image_sha256 as SHA_256, action_process_os_pid as PID, action_process_signature_status as SignerStatus, action_process_signature_vendor as Vendor, actor_process_image_name as Parent_Process, actor_process_os_pid as Parent_PID, actor_process_command_line as Parent_Command, actor_process_image_path as Parent_Path, causality_actor_process_image_name as CGO | sort desc _time </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>There are other ways of hunting as well but using above you should be able to look out for something suspicious related to this supply chain attack.</P> <P>&nbsp;</P> <P>Simple Hunts such as Hash etc can also be conducted but since the scale of compromise is not known i personally have no idea if the hash check will do the complete job but that does not mean we should not do hunts based on hash values of the file.</P> <P>&nbsp;</P> <P>Regards</P> <P>Kanwar</P> <P>&nbsp;</P> Thu, 30 Mar 2023 02:34:00 GMT KanwarSingh01 2023-03-30T02:34:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537024#M3987 <P>This is more from how people are hunting with different EDR tools, so just throwing out something with XQL to the community which might be helpful for us all:</P> <P>&nbsp;</P> <P>Note: All of the below queries are created from an environment which does not uses 3CX so correct where possible guys.</P> <P>&nbsp;</P> <P>Query 1: Monitor general Public IP address communication form 3CX Desktop App to Internet: (Gotcha: Don't exclude your Proxy IP from Private IP filter list)</P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | preset = network_story | filter actor_process_image_name = "3cxdesktopapp.exe" or actor_process_image_name contains "3cx desktop app" | filter action_remote_ip != null | filter incidr(action_remote_ip,"127.0.0.0/8") = false | filter incidr(action_remote_ip,"10.0.0.0/8") = false | filter incidr(action_remote_ip,"192.168.0.0/16") = false | filter incidr(action_remote_ip,"172.16.0.0/12") = false | filter incidr(action_remote_ip,"169.254.0.0/16") = false | filter incidr(action_remote_ip,"224.0.0.0/4") = false | filter incidr(action_remote_ip,"255.255.255.255/32") = false | iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Query 2: Hunt Suspicious Domains According to Threat Intel Reports</P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | preset = network_story | filter dst_action_external_hostname in ("akamaicontainer.com","akamaitechcloudservices.com","azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org","msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com","visualstudiofactory.com","zacharryblogs.com") | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname as Domain_Name, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time </LI-CODE> <P>&nbsp;</P> <P>&nbsp;&nbsp;</P> <P>Query 3: Find if 3CX Desktop Process Ran in the Environment where Host Inventory is Not available:</P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | preset = xdr_process | filter action_process_image_name in ("3cxdesktopapp.exe", "*3cx desktop app*") //Probably last one is for MacOS "not sure about that as we do not use it so please correct if it is incorrect" | fields agent_hostname as Host, agent_ip_addresses as IP_Addr, action_process_image_name as Process, action_process_image_command_line as Command, action_process_image_sha256 as SHA_256, action_process_os_pid as PID, action_process_signature_status as SignerStatus, action_process_signature_vendor as Vendor, actor_process_image_name as Parent_Process, actor_process_os_pid as Parent_PID, actor_process_command_line as Parent_Command, actor_process_image_path as Parent_Path, causality_actor_process_image_name as CGO | sort desc _time </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>There are other ways of hunting as well but using above you should be able to look out for something suspicious related to this supply chain attack.</P> <P>&nbsp;</P> <P>Simple Hunts such as Hash etc can also be conducted but since the scale of compromise is not known i personally have no idea if the hash check will do the complete job but that does not mean we should not do hunts based on hash values of the file.</P> <P>&nbsp;</P> <P>Regards</P> <P>Kanwar</P> <P>&nbsp;</P> Thu, 30 Mar 2023 02:34:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537024#M3987 KanwarSingh01 2023-03-30T02:34:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537100#M3993 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp;Thank you for sharing with the community!<BR /><BR />I'm sure many users will find this useful.&nbsp;</P> Thu, 30 Mar 2023 12:33:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537100#M3993 mavraham 2023-03-30T12:33:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537140#M3998 <P>Hi KanwarSing01,</P> <P>&nbsp;</P> <P>Thanks for putting this together!&nbsp; It's worth noting that Cortex XDR blocked this attack out-of-the-box with our&nbsp;<SPAN>In-process Shellcode Protection Module.&nbsp; Check out this write up by&nbsp;<A href="https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/" target="_self">Unit 42.</A></SPAN></P> Thu, 30 Mar 2023 20:13:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537140#M3998 afurze 2023-03-30T20:13:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537158#M3999 <P>Thanks for the article, after reading the in depth article by Unit 42 i am sure people can create quite a few hunts from it. I am also certain some of the XDR customers must have taken 3CX advice and made an exception for the prevention alert. But who knows.</P> <P>&nbsp;</P> <P>Thank you.</P> Fri, 31 Mar 2023 01:03:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537158#M3999 KanwarSingh01 2023-03-31T01:03:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537305#M4011 <P>Thanks for posting these queries.&nbsp; For more details, IOCs, and other product mitigations the Unit 42 Threat Brief is being updated as we find more information.&nbsp;&nbsp;<A href="https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/" target="_blank">https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/</A></P> Fri, 31 Mar 2023 23:44:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537305#M4011 dmilrad 2023-03-31T23:44:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537339#M4013 <P>Hey Kanwar!</P> <P>&nbsp;</P> <P>Thank you for this nice overview!&nbsp;</P> <P>&nbsp;</P> <P>To extend the scope for the query 2 my expierience in cortex xdr was:</P> <P>&nbsp;</P> <P>1. take the dns_query_name field too into your scope with or:&nbsp;</P> <P>dst_action_external_hostname in ("*mega.io*","*mega.nz*","*anonfiles.com*","*dropmefiles.com*","*file.io*","*quaz.im*","*temp.sh*","*termbin.com*","*transfer.sh*","*ufile.io*","*wasabisys.com*") <BR />or dns_query_name in ("*mega.io*","*mega.nz*","*anonfiles.com*","*dropmefiles.com*","*file.io*","*quaz.im*","*temp.sh*","*termbin.com*","*transfer.sh*","*ufile.io*","*wasabisys.com*")</P> <P>&nbsp;</P> <P>2. For subdomains take the star into your scope of the domain to sniff them all:</P> <P>*wasabisys.com*</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> Sat, 01 Apr 2023 23:22:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-hunting-supply-chain-attack-for-3cx/m-p/537339#M4013 RFeyertag 2023-04-01T23:22:37Z