Current Events
This is a collection of rules for current events and rapid response to developing situations.
Network Flow - CURRENT_EVENTS Related IP Observed
Description
This detection identifies a network connection that has been associated with malicious activity, but has not been tied to any specific malicious actor. Malicious actors will often compromise legitimate servers to use for malicious purposes.
Recommendation
This alert may have been caused by normal network activity performed by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Exploit Public-Facing Application - T1190
Suspicious Connection - CURRENT_EVENTS Related IP Observed
Description
This detection identifies a network connection that has been associated with malicious activity, but has not been tied to any specific malicious actor. Malicious actors will often compromise legitimate servers to use for malicious purposes.
Recommendation
Block the IP Address in question. Review the alert in question. Investigate the host that initiated the connection for additional malicious activity. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Exploit Public-Facing Application - T1190
Suspicious DNS Request - 3CX Desktop Supply Chain Compromise
Description
This detection identifies domains associated to threat actors that have compromised 3CX Desktop and released trojaned versions of the installer.
Recommendation
Block the domains in question. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Supply Chain Compromise - T1195
- Compromise Software Supply Chain - T1195.002
Suspicious Process - 3CX Desktop Supply Chain Compromise
Description
This detection identifies binaries reported to be compromised 3CX Desktop that were trojaned by a malicious actor.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Supply Chain Compromise - T1195
- Compromise Software Supply Chain - T1195.002
Suspicious Web Request - 3CX Desktop Supply Chain Compromise
Description
This detection identifies domains associated to threat actors that have compromised 3CX Desktop and released trojaned versions of the installer.
Recommendation
Block the domains in question. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Supply Chain Compromise - T1195
- Compromise Software Supply Chain - T1195.002