Detect TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502) in Google Chronicle
Detects exploitation of CVE-2026-3502, a CWE-494 (Download of Code Without Integrity Check) vulnerability in TrueConf Client. An attacker with a network position to intercept or manipulate TrueConf Client update/download channels can deliver unsigned or tampered code to client systems, enabling arbitrary code execution. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
YARA-L Detection Query
rule trueconf_unsigned_update_cve_2026_3502 {
meta:
author = "df00tech Detection Engineering"
description = "Detects TrueConf Client dropping or loading unsigned executables from temp/update paths (CVE-2026-3502)"
severity = "HIGH"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-3502"
events:
($e1.metadata.event_type = "FILE_CREATION"
and re.regex($e1.principal.process.file.full_path, `(?i)trueconf`)
and (
re.regex($e1.target.file.full_path, `(?i)(\\temp\\|\\appdata\\|update|patch)`)
)
and re.regex($e1.target.file.full_path, `(?i)\.(exe|dll|msi|bat|ps1|cmd)$`)
)
or
($e1.metadata.event_type = "PROCESS_MODULE_LOAD"
and re.regex($e1.principal.process.file.full_path, `(?i)trueconf`)
and $e1.target.file.pe_file.cert_chain_status != "CERT_STATUS_VALID"
)
condition:
$e1
}Chronicle YARA-L rule detecting TrueConf processes involved in executable file creation in temp/update directories or loading modules with invalid certificate chains, consistent with tampered update delivery in CVE-2026-3502.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise TrueConf deployments using internal PKI certificates not trusted globally
- Self-extracting TrueConf installer archives unpacking to temp before signature validation
- Security team manually staging TrueConf updates for testing in monitored directories
Other platforms for CVE-2026-3502
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate TrueConf Tampered Update File Drop
Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename matching *\AppData\*TrueConf*\update\*.exe and Image matching the PowerShell process.
- Test 2Simulate TrueConf Process Loading Unsigned DLL
Expected signal: Sysmon Event ID 7 (ImageLoad) with ImageLoaded matching the DLL path; Signed field may be true for the copied system DLL — use an unsigned compiled DLL in a real lab for more accurate telemetry.
- Test 3Simulate TrueConf Update Outbound Connection to Non-Official Domain
Expected signal: Sysmon Event ID 3 (NetworkConnect) with DestinationIp 192.0.2.1 and DestinationPort 80; process name will show powershell.exe rather than TrueConf in lab — in a real test, rename the script host or use a TrueConf process injection method.
- Test 4Enumerate TrueConf Version and Update Configuration from Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet) will NOT fire for reads; process-level telemetry via Event ID 1 shows powershell.exe querying TrueConf registry paths. EDR behavioral telemetry should capture registry read operations.
Unlock Pro Content
Get the full detection package for CVE-2026-3502 including response playbook, investigation guide, and atomic red team tests.