CVE-2026-3502 Elastic Security · Elastic

Detect TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502) in Elastic Security

Detects exploitation of CVE-2026-3502, a CWE-494 (Download of Code Without Integrity Check) vulnerability in TrueConf Client. An attacker with a network position to intercept or manipulate TrueConf Client update/download channels can deliver unsigned or tampered code to client systems, enabling arbitrary code execution. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=10m
  [file where process.name like~ "*trueconf*"
   and event.action in ("creation", "overwrite")
   and file.path like~ ("*\\Temp\\*", "*\\AppData\\*", "*update*", "*patch*")
   and file.extension in ("exe", "dll", "msi", "bat", "ps1", "vbs", "cmd")]
  [library where process.name like~ "*trueconf*"
   and (dll.code_signature.trusted == false or dll.code_signature.exists == false)]
high severity medium confidence

EQL sequence: TrueConf process drops an executable to temp/update path followed within 10 minutes by that same TrueConf process loading an unsigned or untrusted library — indicative of a tampered update being staged and executed.

Data Sources

Elastic EndpointElastic Agent (Windows)

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.library-*

False Positives & Tuning

  • TrueConf self-update mechanism writing installer components before signature verification completes
  • Third-party DLL injection security tools operating on TrueConf process space
  • Endpoint detection products intercepting TrueConf update flows and causing out-of-order events

Other platforms for CVE-2026-3502

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate TrueConf Tampered Update File Drop

    Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename matching *\AppData\*TrueConf*\update\*.exe and Image matching the PowerShell process.

  2. Test 2Simulate TrueConf Process Loading Unsigned DLL

    Expected signal: Sysmon Event ID 7 (ImageLoad) with ImageLoaded matching the DLL path; Signed field may be true for the copied system DLL — use an unsigned compiled DLL in a real lab for more accurate telemetry.

  3. Test 3Simulate TrueConf Update Outbound Connection to Non-Official Domain

    Expected signal: Sysmon Event ID 3 (NetworkConnect) with DestinationIp 192.0.2.1 and DestinationPort 80; process name will show powershell.exe rather than TrueConf in lab — in a real test, rename the script host or use a TrueConf process injection method.

  4. Test 4Enumerate TrueConf Version and Update Configuration from Registry

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) will NOT fire for reads; process-level telemetry via Event ID 1 shows powershell.exe querying TrueConf registry paths. EDR behavioral telemetry should capture registry read operations.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-3502 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195.002Compromise Software Supply ChainT1553.002Code SigningT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections