christian-taillon/network-Malicious Labyrinth Chollima DNS Beacon Query.yaml

## network-Malicious Labyrinth Chollima DNS Beacon Query.yaml
title: Malicious Labyrinth Chollima DNS Beacon Query - DNS Client
id: 35c355a3-8c9d-4772-bbbc-327434770e4a
status: test
description: Detects a program that invoked suspicious DNS queries known from Labyrinth Chollima's C3X beacons
references:
    - https://www.crowdstrike.com/adversaries/labyrinth-chollima/
    - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
    - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
    - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898
    - https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/
    - https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
    - https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
author: Christian Taillon
date: 2023/04/05
tags:
    - attack.command_and_control
    - attack.c2
    - attack.t1071.004
    - attack.t1043
logsource:
    category: dns_query dns
detection:
    selection_01:
        QueryName|contains:
            - 'akamaicontainer.com'
            - 'akamaitechcloudservices.com'
            - 'azuredeploystore.com'
            - 'azureonlinecloud.com'
            - 'azureonlinestorage.com'
            - 'dunamistrd.com'
            - 'glcloudservice.com'
            - 'journalide.org'
            - 'msedgepackageinfo.com'
            - 'msstorageazure.com'
            - 'msstorageboxes.com'
            - 'officeaddons.com'
            - 'officestoragebox.com'
            - 'pbxcloudeservices.com'
            - 'pbxphonenetwork.com'
            - 'pbxsources.com'
            - 'qwepoi123098.com'
            - 'sbmsa.wiki'
            - 'sourceslabs.com'
            - 'visualstudiofactory.com'
            - 'zacharryblogs.com'
    condition: 1 of selection_0*
falsepositives:
    - Unknown
level: critical
	title: Malicious Labyrinth Chollima DNS Beacon Query - DNS Client
	id: 35c355a3-8c9d-4772-bbbc-327434770e4a
	status: test
	description: Detects a program that invoked suspicious DNS queries known from Labyrinth Chollima's C3X beacons
	references:
	- https://www.crowdstrike.com/adversaries/labyrinth-chollima/
	- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
	- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
	- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
	- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898
	- https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/
	- https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
	- https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
	author: Christian Taillon
	date: 2023/04/05
	tags:
	- attack.command_and_control
	- attack.c2
	- attack.t1071.004
	- attack.t1043
	logsource:
	category: dns_query dns
	detection:
	selection_01:
	QueryName\|contains:
	- 'akamaicontainer.com'
	- 'akamaitechcloudservices.com'
	- 'azuredeploystore.com'
	- 'azureonlinecloud.com'
	- 'azureonlinestorage.com'
	- 'dunamistrd.com'
	- 'glcloudservice.com'
	- 'journalide.org'
	- 'msedgepackageinfo.com'
	- 'msstorageazure.com'
	- 'msstorageboxes.com'
	- 'officeaddons.com'
	- 'officestoragebox.com'
	- 'pbxcloudeservices.com'
	- 'pbxphonenetwork.com'
	- 'pbxsources.com'
	- 'qwepoi123098.com'
	- 'sbmsa.wiki'
	- 'sourceslabs.com'
	- 'visualstudiofactory.com'
	- 'zacharryblogs.com'
	condition: 1 of selection_0*
	falsepositives:
	- Unknown
	level: critical