Detect TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502) in Splunk
Detects exploitation of CVE-2026-3502, a CWE-494 (Download of Code Without Integrity Check) vulnerability in TrueConf Client. An attacker with a network position to intercept or manipulate TrueConf Client update/download channels can deliver unsigned or tampered code to client systems, enabling arbitrary code execution. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=endpoint sourcetype=sysmon OR sourcetype=crowdstrike:events:sensor
(Image="*TrueConf*" OR ParentImage="*TrueConf*" OR process_name="*trueconf*")
(
(EventCode=11 TargetFilename IN ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*update*", "*patch*")
TargetFilename IN ("*.exe", "*.dll", "*.msi", "*.bat", "*.ps1", "*.vbs", "*.cmd"))
OR (EventCode=7 Signed=false)
OR (EventCode=7 SignatureStatus!="Valid")
)
| eval risk_indicator=case(
EventCode=7 AND (Signed="false" OR SignatureStatus!="Valid"), "unsigned_module_load",
EventCode=11 AND match(TargetFilename, "(?i)(\.exe|\.dll|\.msi|\.bat|\.ps1)"), "executable_drop_temp",
true(), "suspicious_trueconf_activity"
)
| stats count as event_count, values(TargetFilename) as files, values(Hashes) as hashes, values(risk_indicator) as indicators by host, Image, ParentImage, _time
| where event_count > 0
| sort -_timeDetects TrueConf Client dropping executable files to temp/appdata paths or loading unsigned modules, consistent with a tampered update payload delivered via CVE-2026-3502.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate staged TrueConf updates during scheduled maintenance windows
- Security software scanning and temporarily staging TrueConf installer files
- IT asset management tools extracting TrueConf MSI packages into temp directories for deployment
Other platforms for CVE-2026-3502
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate TrueConf Tampered Update File Drop
Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename matching *\AppData\*TrueConf*\update\*.exe and Image matching the PowerShell process.
- Test 2Simulate TrueConf Process Loading Unsigned DLL
Expected signal: Sysmon Event ID 7 (ImageLoad) with ImageLoaded matching the DLL path; Signed field may be true for the copied system DLL — use an unsigned compiled DLL in a real lab for more accurate telemetry.
- Test 3Simulate TrueConf Update Outbound Connection to Non-Official Domain
Expected signal: Sysmon Event ID 3 (NetworkConnect) with DestinationIp 192.0.2.1 and DestinationPort 80; process name will show powershell.exe rather than TrueConf in lab — in a real test, rename the script host or use a TrueConf process injection method.
- Test 4Enumerate TrueConf Version and Update Configuration from Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet) will NOT fire for reads; process-level telemetry via Event ID 1 shows powershell.exe querying TrueConf registry paths. EDR behavioral telemetry should capture registry read operations.
Unlock Pro Content
Get the full detection package for CVE-2026-3502 including response playbook, investigation guide, and atomic red team tests.