Potential Compromised 3CXDesktopApp Beaconing Activity - DNS

    Friday, August 16, 2024 In: Threat Research Print

    Date: 08/16/2024

    Severity: High

    Summary

    Identifies possible beaconing to domains connected with the 3CXDesktopApp breach Monitors for potential communication with 3CX-related domains. Detects suspicious beaconing towards domains linked to 3CX compromise. Alerts on possible activity with domains associated with the 3CXDesktopApp threat.

    Indicators of Compromise (IOC) List

      QueryName

    'akamaicontainer.com'

    'akamaitechcloudservices.com'

    'azuredeploystore.com'

    'azureonlinecloud.com'

    'azureonlinestorage.com'

    'dunamistrd.com'

    'glcloudservice.com'

    'journalide.org'

    'msedgepackageinfo.com'

    'msedgeupdate.net'

    'msstorageazure.com'

    'msstorageboxes.com'

    'officeaddons.com'

    'officestoragebox.com'

    'pbxcloudeservices.com'

    'pbxphonenetwork.com'

    'pbxsources.com'

    'qwepoi123098.com'

    'sbmsa.wiki'

    'sourceslabs.com'

    'visualstudiofactory.com'

    'zacharryblogs.com'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourceName = "Sysmon"  AND eventtype = "22"  ) AND queryname In ("akamaicontainer.com" , "akamaitechcloudservices.com" , "azuredeploystore.com" , "azureonlinecloud.com" , "azureonlinestorage.com" , "dunamistrd.com" , "glcloudservice.com" , "journalide.org" , "msedgepackageinfo.com" , "msedgeupdate.net" , "msstorageazure.com" , "msstorageboxes.com" , "officeaddons.com" , "officestoragebox.com" , "pbxcloudeservices.com" , "pbxphonenetwork.com" , "pbxsources.com" , "qwepoi123098.com" , "sbmsa.wiki" , "sourceslabs.com" , "visualstudiofactory.com" , "zacharryblogs.com" )

    Detection Query 2

    (technologygroup = "EDR"   ) AND queryname In ("akamaicontainer.com" , "akamaitechcloudservices.com" , "azuredeploystore.com" , "azureonlinecloud.com" , "azureonlinestorage.com" , "dunamistrd.com" , "glcloudservice.com" , "journalide.org" , "msedgepackageinfo.com" , "msedgeupdate.net" , "msstorageazure.com" , "msstorageboxes.com" , "officeaddons.com" , "officestoragebox.com" , "pbxcloudeservices.com" , "pbxphonenetwork.com" , "pbxsources.com" , "qwepoi123098.com" , "sbmsa.wiki" , "sourceslabs.com" , "visualstudiofactory.com" , "zacharryblogs.com")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml 

    https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.