Detect TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502) in CrowdStrike LogScale
Detects exploitation of CVE-2026-3502, a CWE-494 (Download of Code Without Integrity Check) vulnerability in TrueConf Client. An attacker with a network position to intercept or manipulate TrueConf Client update/download channels can deliver unsigned or tampered code to client systems, enabling arbitrary code execution. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
LogScale Detection Query
event_simpleName IN ("ProcessRollup2", "ClassifiedModuleLoad", "PartiallyClassifiedModuleLoad", "NewExecutableWritten")
| ImageFileName LIKE "%TrueConf%" OR ParentBaseFileName LIKE "%TrueConf%" OR TargetFileName LIKE "%TrueConf%"
| case(
event_simpleName IN ("ClassifiedModuleLoad", "PartiallyClassifiedModuleLoad")
AND (SignInfoFlags != "0" OR MicrosoftSecuritySigning = "0"),
"unsigned_module_load",
event_simpleName = "NewExecutableWritten"
AND (TargetFileName LIKE "%Temp%" OR TargetFileName LIKE "%AppData%" OR TargetFileName LIKE "%update%"),
"executable_drop_update_path"
) AS risk_type
| risk_type != ""
| groupBy([ComputerName, UserName, ImageFileName, TargetFileName, SHA256HashData, risk_type], function=count(1, as=EventCount))
| sort(EventCount, order=desc)CrowdStrike Falcon Query Language detection for TrueConf Client writing new executables to temp/update locations or loading unsigned modules, representing exploitation attempts via CVE-2026-3502 tampered update delivery.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike sensor exclusions on TrueConf update directories masking partial events
- Legitimate patch Tuesday TrueConf updates deployed via enterprise software manager to temp paths
- Digital forensics tooling executing alongside TrueConf installer in controlled analysis environment
Other platforms for CVE-2026-3502
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate TrueConf Tampered Update File Drop
Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename matching *\AppData\*TrueConf*\update\*.exe and Image matching the PowerShell process.
- Test 2Simulate TrueConf Process Loading Unsigned DLL
Expected signal: Sysmon Event ID 7 (ImageLoad) with ImageLoaded matching the DLL path; Signed field may be true for the copied system DLL — use an unsigned compiled DLL in a real lab for more accurate telemetry.
- Test 3Simulate TrueConf Update Outbound Connection to Non-Official Domain
Expected signal: Sysmon Event ID 3 (NetworkConnect) with DestinationIp 192.0.2.1 and DestinationPort 80; process name will show powershell.exe rather than TrueConf in lab — in a real test, rename the script host or use a TrueConf process injection method.
- Test 4Enumerate TrueConf Version and Update Configuration from Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet) will NOT fire for reads; process-level telemetry via Event ID 1 shows powershell.exe querying TrueConf registry paths. EDR behavioral telemetry should capture registry read operations.
Unlock Pro Content
Get the full detection package for CVE-2026-3502 including response playbook, investigation guide, and atomic red team tests.