Last active
April 5, 2023 23:37
-
-
Save christian-taillon/587b81c7f86f77ae57a5cb6cb2a39bd8 to your computer and use it in GitHub Desktop.
Detects a program that invoked suspicious DNS queries known from Labyrinth Chollima's C3X beacons
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Malicious Labyrinth Chollima DNS Beacon Query - DNS Client | |
id: 35c355a3-8c9d-4772-bbbc-327434770e4a | |
status: test | |
description: Detects a program that invoked suspicious DNS queries known from Labyrinth Chollima's C3X beacons | |
references: | |
- https://www.crowdstrike.com/adversaries/labyrinth-chollima/ | |
- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ | |
- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp | |
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ | |
- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 | |
- https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ | |
- https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack | |
- https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/ | |
author: Christian Taillon | |
date: 2023/04/05 | |
tags: | |
- attack.command_and_control | |
- attack.c2 | |
- attack.t1071.004 | |
- attack.t1043 | |
logsource: | |
category: dns_query dns | |
detection: | |
selection_01: | |
QueryName|contains: | |
- 'akamaicontainer.com' | |
- 'akamaitechcloudservices.com' | |
- 'azuredeploystore.com' | |
- 'azureonlinecloud.com' | |
- 'azureonlinestorage.com' | |
- 'dunamistrd.com' | |
- 'glcloudservice.com' | |
- 'journalide.org' | |
- 'msedgepackageinfo.com' | |
- 'msstorageazure.com' | |
- 'msstorageboxes.com' | |
- 'officeaddons.com' | |
- 'officestoragebox.com' | |
- 'pbxcloudeservices.com' | |
- 'pbxphonenetwork.com' | |
- 'pbxsources.com' | |
- 'qwepoi123098.com' | |
- 'sbmsa.wiki' | |
- 'sourceslabs.com' | |
- 'visualstudiofactory.com' | |
- 'zacharryblogs.com' | |
condition: 1 of selection_0* | |
falsepositives: | |
- Unknown | |
level: critical |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment