This detection rule identifies malicious activities associated with the execution of 3CXDesktopApp.exe, a legitimate softphone application that was exploited during the SmoothOperator campaign linked to the Lazarus Group. The rule aims to uncover instances where the application, which is signed and appears legitimate, is observed beaconing to attacker-controlled infrastructure, deploying secondary payloads, or being manipulated directly by threat actors. The detection logic utilizes Splunk queries to filter for specific event codes and process types related to the application, gathering relevant data such as host, user, and process details, which assists in analyzing suspicious behaviors around the legitimate application. Additionally, it encompasses various techniques related to system binary proxy execution, supply chain compromise, and unauthorized user execution, making it crucial for monitoring endpoint security against sophisticated supply chain attacks.