Detect TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502) in Microsoft Sentinel
Detects exploitation of CVE-2026-3502, a CWE-494 (Download of Code Without Integrity Check) vulnerability in TrueConf Client. An attacker with a network position to intercept or manipulate TrueConf Client update/download channels can deliver unsigned or tampered code to client systems, enabling arbitrary code execution. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
let TrueConfProcs = DeviceProcessEvents
| where FileName has_any ("TrueConf", "trueconf")
| project DeviceId, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, Timestamp, AccountName;
let SuspDownloads = DeviceFileEvents
| where InitiatingProcessFileName has_any ("TrueConf", "trueconf")
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("Temp", "AppData", "Downloads", "update", "patch")
| where FileName endswith_any (".exe", ".dll", ".msi", ".bat", ".ps1", ".vbs", ".cmd")
| project DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256, Timestamp;
let UnsignedExecs = DeviceImageLoadEvents
| where InitiatingProcessFileName has_any ("TrueConf", "trueconf")
| where not(isnotempty(SignatureState)) or SignatureState != "SignedValid"
| project DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256, Timestamp;
SuspDownloads
| join kind=leftouter UnsignedExecs on DeviceId
| summarize DownloadCount=count(), Files=make_set(FileName), Hashes=make_set(SHA256) by DeviceId, DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where DownloadCount > 0Hunts for TrueConf Client processes writing executable files to temp/update paths, and image loads from those processes where the loaded module is unsigned or signature is invalid — indicative of tampered update delivery.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate TrueConf updates that are slow to be signed or use internal signing not trusted by the OS
- Antivirus or endpoint agents renaming/quarantining TrueConf update files during scan
- Administrators manually deploying TrueConf packages to temp directories via scripted deployment tools
Other platforms for CVE-2026-3502
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate TrueConf Tampered Update File Drop
Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename matching *\AppData\*TrueConf*\update\*.exe and Image matching the PowerShell process.
- Test 2Simulate TrueConf Process Loading Unsigned DLL
Expected signal: Sysmon Event ID 7 (ImageLoad) with ImageLoaded matching the DLL path; Signed field may be true for the copied system DLL — use an unsigned compiled DLL in a real lab for more accurate telemetry.
- Test 3Simulate TrueConf Update Outbound Connection to Non-Official Domain
Expected signal: Sysmon Event ID 3 (NetworkConnect) with DestinationIp 192.0.2.1 and DestinationPort 80; process name will show powershell.exe rather than TrueConf in lab — in a real test, rename the script host or use a TrueConf process injection method.
- Test 4Enumerate TrueConf Version and Update Configuration from Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet) will NOT fire for reads; process-level telemetry via Event ID 1 shows powershell.exe querying TrueConf registry paths. EDR behavioral telemetry should capture registry read operations.
Unlock Pro Content
Get the full detection package for CVE-2026-3502 including response playbook, investigation guide, and atomic red team tests.