Playbook of the Week: Automated Rapid Response to 3CXDesktopApp Supply Chain Attack

3CXDesktopApp Supply Chain Attack Rapid Response

A supply chain attack involving a software-based phone application called 3CXDesktopApp hit at the end of March.

The 3CXDesktopApp attack, first reported by CrowdStrike on March 29, 2023, was quickly investigated by Unit 42 the next day. Unit 42 discovered the 3CXDesktopApp installer hosted on the developer’s website installed the application with two malicious libraries. The malicious libraries ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Please refer to this Unit 42 Threat Brief for more details on the threat and the latest Palo Alto Network protections summaries.

This Playbook of the Week blog will focus on automated response actions you can leverage using XSOAR. XSOAR can help you orchestrate response for incidents related to this attack across your EDR, XDR, SIEMs, and threat intelligence sources.  The 3CXDesktopApp Supply Chain Attack playbook can be triggered manually or as a scheduled job. 

What it Does

This playbook automates the process of data enrichment by collecting, extracting, tagging, and linking indicators from various sources such as Unit 42, Huntress and CrowdStrike, and linking them to incidents. It also downloads Sigma and Yara signature rules.

Playbook sample: extract, tag and link indicators
Playbook sample: extract, tag, and link indicators


Next, the playbook performs automated threat hunting queries looking for detected execution of the 3CX applications, detected network connections to known C2 domains and/or compromised 3CX app activity, across multiple sources including:

  • Cortex XDR
  • Splunk
  • QRadar
  • Elasticsearch
  • PAN-OS
  • Cortex Data Lake
  • ElasticSearch
  • Azure Log Analytics
Playbook sample: Generic and XDR threat hunting
Playbook sample: Generic and XDR threat hunting


Playbook sample: SIEM Threat Hunting
Playbook sample: SIEM Threat Hunting


Lastly, you can set the playbook to perform remediation tasks such as blocking indicators automatically, or have the analyst continue to perform further analysis before closing the investigation.

Playbook sample: Remediation tasks
Playbook sample: Remediation tasks


Learn More

Note: We have provided some highlights of the tasks available via this playbook. It does call other sub-playbooks not mentioned in this blog so to get the full scope of the playbook automation workflow, please refer to our Cortex Marketplace content pack documentation. You might also be interested in our series of Rapid Breach response playbooks.

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.