XQL Query: Hunting Supply Chain Attack for 3CX

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query: Hunting Supply Chain Attack for 3CX

L3 Networker

This is more from how people are hunting with different EDR tools, so just throwing out something with XQL to the community which might be helpful for us all:

 

Note: All of the below queries are created from an environment which does not uses 3CX so correct where possible guys.

 

Query 1: Monitor general Public IP address communication form 3CX Desktop App to Internet: (Gotcha: Don't exclude your Proxy IP from Private IP filter list)

 

config case_sensitive = false 
| preset = network_story 
| filter actor_process_image_name = "3cxdesktopapp.exe" or actor_process_image_name contains "3cx desktop app"
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false 
| filter incidr(action_remote_ip,"192.168.0.0/16") = false 
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false 
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region 
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time 

 

 

Query 2: Hunt Suspicious Domains According to Threat Intel Reports

 

config case_sensitive = false 
| preset = network_story 
| filter dst_action_external_hostname in ("akamaicontainer.com","akamaitechcloudservices.com","azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org","msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com","visualstudiofactory.com","zacharryblogs.com")
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname as Domain_Name, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time 

 

  

Query 3: Find if 3CX Desktop Process Ran in the Environment where Host Inventory is Not available:

 

config case_sensitive = false 
| preset = xdr_process 
| filter action_process_image_name in ("3cxdesktopapp.exe", "*3cx desktop app*") //Probably last one is for MacOS "not sure about that as we do not use it so please correct if it is incorrect"
| fields agent_hostname as Host, agent_ip_addresses as IP_Addr, action_process_image_name as Process, action_process_image_command_line as Command, action_process_image_sha256 as SHA_256, action_process_os_pid as PID, action_process_signature_status as SignerStatus, action_process_signature_vendor as Vendor, actor_process_image_name as Parent_Process, actor_process_os_pid as Parent_PID, actor_process_command_line as Parent_Command, actor_process_image_path as Parent_Path, causality_actor_process_image_name as CGO
| sort desc _time 

 

 

There are other ways of hunting as well but using above you should be able to look out for something suspicious related to this supply chain attack.

 

Simple Hunts such as Hash etc can also be conducted but since the scale of compromise is not known i personally have no idea if the hash check will do the complete job but that does not mean we should not do hunts based on hash values of the file.

 

Regards

Kanwar

 

Kind Regards
KS
1 accepted solution

Accepted Solutions

L3 Networker

Thanks for posting these queries.  For more details, IOCs, and other product mitigations the Unit 42 Threat Brief is being updated as we find more information.  https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/

View solution in original post

5 REPLIES 5

L4 Transporter

@KanwarSingh01 Thank you for sharing with the community!

I'm sure many users will find this useful. 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

L4 Transporter

Hi KanwarSing01,

 

Thanks for putting this together!  It's worth noting that Cortex XDR blocked this attack out-of-the-box with our In-process Shellcode Protection Module.  Check out this write up by Unit 42.

Thanks for the article, after reading the in depth article by Unit 42 i am sure people can create quite a few hunts from it. I am also certain some of the XDR customers must have taken 3CX advice and made an exception for the prevention alert. But who knows.

 

Thank you.

Kind Regards
KS

L3 Networker

Thanks for posting these queries.  For more details, IOCs, and other product mitigations the Unit 42 Threat Brief is being updated as we find more information.  https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/

L4 Transporter

Hey Kanwar!

 

Thank you for this nice overview! 

 

To extend the scope for the query 2 my expierience in cortex xdr was:

 

1. take the dns_query_name field too into your scope with or: 

dst_action_external_hostname in ("*mega.io*","*mega.nz*","*anonfiles.com*","*dropmefiles.com*","*file.io*","*quaz.im*","*temp.sh*","*termbin.com*","*transfer.sh*","*ufile.io*","*wasabisys.com*")
or dns_query_name in ("*mega.io*","*mega.nz*","*anonfiles.com*","*dropmefiles.com*","*file.io*","*quaz.im*","*temp.sh*","*termbin.com*","*transfer.sh*","*ufile.io*","*wasabisys.com*")

 

2. For subdomains take the star into your scope of the domain to sniff them all:

*wasabisys.com*

 

BR

 

Rob

 

  • 1 accepted solution
  • 4002 Views
  • 5 replies
  • 5 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!