Current Events
Copy link

This is a collection of rules for current events and rapid response to developing situations.

Network Flow - CURRENT_EVENTS Related IP Observed

Description
Copy link

This detection identifies a network connection that has been associated with malicious activity, but has not been tied to any specific malicious actor. Malicious actors will often compromise legitimate servers to use for malicious purposes.

Recommendation
Copy link

This alert may have been caused by normal network activity performed by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Exploit Public-Facing Application - T1190

Suspicious Connection - CURRENT_EVENTS Related IP Observed

Description
Copy link

This detection identifies a network connection that has been associated with malicious activity, but has not been tied to any specific malicious actor. Malicious actors will often compromise legitimate servers to use for malicious purposes.

Recommendation
Copy link

Block the IP Address in question. Review the alert in question. Investigate the host that initiated the connection for additional malicious activity. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Exploit Public-Facing Application - T1190

Suspicious DNS Request - 3CX Desktop Supply Chain Compromise

Description
Copy link

This detection identifies domains associated to threat actors that have compromised 3CX Desktop and released trojaned versions of the installer.

Recommendation
Copy link

Block the domains in question. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Supply Chain Compromise - T1195
  • Compromise Software Supply Chain - T1195.002

Suspicious Process - 3CX Desktop Supply Chain Compromise

Description
Copy link

This detection identifies binaries reported to be compromised 3CX Desktop that were trojaned by a malicious actor.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Supply Chain Compromise - T1195
  • Compromise Software Supply Chain - T1195.002

Suspicious Web Request - 3CX Desktop Supply Chain Compromise

Description
Copy link

This detection identifies domains associated to threat actors that have compromised 3CX Desktop and released trojaned versions of the installer.

Recommendation
Copy link

Block the domains in question. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Supply Chain Compromise - T1195
  • Compromise Software Supply Chain - T1195.002