Signed Update

March 2023. VoIP vendor 3CX ships a desktop app update that contains a decade-old chat library, and something newer that phones home from your sales floor.

Type

Modern / Cloud

Difficulty

Intermediate

Era

2020s

Time

9 min

Briefing

Filesystem is synthetic; the incident pattern matches public Mandiant/CrowdStrike write-ups.

Your role

IR handler with an EDR export and vendor notice, prove signed != benign.

Objective

Walk the vendor advisory, find the suspicious DLL path in the bundle manifest, and pull IOC lines from a stub DNS log.

Terminal environment

user: handler
host: mclk
cwd: /ir/3cx-tabletop
steps: 3

Enter the terminalAbout 9 minutesSafe simulation

Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.