TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502)

let TrueConfProcs = DeviceProcessEvents
| where FileName has_any ("TrueConf", "trueconf")
| project DeviceId, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, Timestamp, AccountName;
let SuspDownloads = DeviceFileEvents
| where InitiatingProcessFileName has_any ("TrueConf", "trueconf")
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("Temp", "AppData", "Downloads", "update", "patch")
| where FileName endswith_any (".exe", ".dll", ".msi", ".bat", ".ps1", ".vbs", ".cmd")
| project DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256, Timestamp;
let UnsignedExecs = DeviceImageLoadEvents
| where InitiatingProcessFileName has_any ("TrueConf", "trueconf")
| where not(isnotempty(SignatureState)) or SignatureState != "SignedValid"
| project DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256, Timestamp;
SuspDownloads
| join kind=leftouter UnsignedExecs on DeviceId
| summarize DownloadCount=count(), Files=make_set(FileName), Hashes=make_set(SHA256) by DeviceId, DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where DownloadCount > 0

index=endpoint sourcetype=sysmon OR sourcetype=crowdstrike:events:sensor
(Image="*TrueConf*" OR ParentImage="*TrueConf*" OR process_name="*trueconf*")
(
  (EventCode=11 TargetFilename IN ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*update*", "*patch*")
   TargetFilename IN ("*.exe", "*.dll", "*.msi", "*.bat", "*.ps1", "*.vbs", "*.cmd"))
  OR (EventCode=7 Signed=false)
  OR (EventCode=7 SignatureStatus!="Valid")
)
| eval risk_indicator=case(
    EventCode=7 AND (Signed="false" OR SignatureStatus!="Valid"), "unsigned_module_load",
    EventCode=11 AND match(TargetFilename, "(?i)(\.exe|\.dll|\.msi|\.bat|\.ps1)"), "executable_drop_temp",
    true(), "suspicious_trueconf_activity"
  )
| stats count as event_count, values(TargetFilename) as files, values(Hashes) as hashes, values(risk_indicator) as indicators by host, Image, ParentImage, _time
| where event_count > 0
| sort -_time

sequence by host.id with maxspan=10m
  [file where process.name like~ "*trueconf*"
   and event.action in ("creation", "overwrite")
   and file.path like~ ("*\\Temp\\*", "*\\AppData\\*", "*update*", "*patch*")
   and file.extension in ("exe", "dll", "msi", "bat", "ps1", "vbs", "cmd")]
  [library where process.name like~ "*trueconf*"
   and (dll.code_signature.trusted == false or dll.code_signature.exists == false)]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  QIDNAME(qid) AS event_name,
  "Process Name",
  "File Path",
  "File Hash"
FROM events
WHERE
  LOWER("Process Name") LIKE '%trueconf%'
  AND (
    (LOWER("File Path") LIKE '%\\temp\\%' OR LOWER("File Path") LIKE '%\\appdata\\%' OR LOWER("File Path") LIKE '%update%')
    AND (
      LOWER("File Path") LIKE '%.exe' OR LOWER("File Path") LIKE '%.dll'
      OR LOWER("File Path") LIKE '%.msi' OR LOWER("File Path") LIKE '%.ps1'
    )
  )
  AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
LAST 24 HOURS
ORDER BY starttime DESC

_sourceCategory=endpoint/sysmon OR _sourceCategory=endpoint/windows
| where %"process.name" matches "*TrueConf*" or %"Image" matches "*TrueConf*"
| where (%"EventID" = "11" and (
    %"TargetFilename" matches "*\\Temp\\*" or
    %"TargetFilename" matches "*\\AppData\\*" or
    %"TargetFilename" matches "*update*"
  ) and (
    %"TargetFilename" matches "*.exe" or
    %"TargetFilename" matches "*.dll" or
    %"TargetFilename" matches "*.msi" or
    %"TargetFilename" matches "*.ps1"
  ))
  OR (%"EventID" = "7" and %"Signed" = "false")
| count as event_count by _sourceHost, %"Image", %"TargetFilename", %"Hashes"
| sort by event_count desc

rule trueconf_unsigned_update_cve_2026_3502 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects TrueConf Client dropping or loading unsigned executables from temp/update paths (CVE-2026-3502)"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-3502"

  events:
    ($e1.metadata.event_type = "FILE_CREATION"
     and re.regex($e1.principal.process.file.full_path, `(?i)trueconf`)
     and (
       re.regex($e1.target.file.full_path, `(?i)(\\temp\\|\\appdata\\|update|patch)`)
     )
     and re.regex($e1.target.file.full_path, `(?i)\.(exe|dll|msi|bat|ps1|cmd)$`)
    )
    or
    ($e1.metadata.event_type = "PROCESS_MODULE_LOAD"
     and re.regex($e1.principal.process.file.full_path, `(?i)trueconf`)
     and $e1.target.file.pe_file.cert_chain_status != "CERT_STATUS_VALID"
    )

  condition:
    $e1
}

event_simpleName IN ("ProcessRollup2", "ClassifiedModuleLoad", "PartiallyClassifiedModuleLoad", "NewExecutableWritten")
| ImageFileName LIKE "%TrueConf%" OR ParentBaseFileName LIKE "%TrueConf%" OR TargetFileName LIKE "%TrueConf%"
| case(
    event_simpleName IN ("ClassifiedModuleLoad", "PartiallyClassifiedModuleLoad")
      AND (SignInfoFlags != "0" OR MicrosoftSecuritySigning = "0"),
    "unsigned_module_load",
    event_simpleName = "NewExecutableWritten"
      AND (TargetFileName LIKE "%Temp%" OR TargetFileName LIKE "%AppData%" OR TargetFileName LIKE "%update%"),
    "executable_drop_update_path"
  ) AS risk_type
| risk_type != ""
| groupBy([ComputerName, UserName, ImageFileName, TargetFileName, SHA256HashData, risk_type], function=count(1, as=EventCount))
| sort(EventCount, order=desc)