03-29-2023 05:55 PM - edited 03-29-2023 07:34 PM
This is more from how people are hunting with different EDR tools, so just throwing out something with XQL to the community which might be helpful for us all:
Note: All of the below queries are created from an environment which does not uses 3CX so correct where possible guys.
Query 1: Monitor general Public IP address communication form 3CX Desktop App to Internet: (Gotcha: Don't exclude your Proxy IP from Private IP filter list)
config case_sensitive = false
| preset = network_story
| filter actor_process_image_name = "3cxdesktopapp.exe" or actor_process_image_name contains "3cx desktop app"
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false
| filter incidr(action_remote_ip,"192.168.0.0/16") = false
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time
Query 2: Hunt Suspicious Domains According to Threat Intel Reports
config case_sensitive = false
| preset = network_story
| filter dst_action_external_hostname in ("akamaicontainer.com","akamaitechcloudservices.com","azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org","msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com","visualstudiofactory.com","zacharryblogs.com")
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname as Domain_Name, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time
Query 3: Find if 3CX Desktop Process Ran in the Environment where Host Inventory is Not available:
config case_sensitive = false
| preset = xdr_process
| filter action_process_image_name in ("3cxdesktopapp.exe", "*3cx desktop app*") //Probably last one is for MacOS "not sure about that as we do not use it so please correct if it is incorrect"
| fields agent_hostname as Host, agent_ip_addresses as IP_Addr, action_process_image_name as Process, action_process_image_command_line as Command, action_process_image_sha256 as SHA_256, action_process_os_pid as PID, action_process_signature_status as SignerStatus, action_process_signature_vendor as Vendor, actor_process_image_name as Parent_Process, actor_process_os_pid as Parent_PID, actor_process_command_line as Parent_Command, actor_process_image_path as Parent_Path, causality_actor_process_image_name as CGO
| sort desc _time
There are other ways of hunting as well but using above you should be able to look out for something suspicious related to this supply chain attack.
Simple Hunts such as Hash etc can also be conducted but since the scale of compromise is not known i personally have no idea if the hash check will do the complete job but that does not mean we should not do hunts based on hash values of the file.
Regards
Kanwar
