Suspicious Zoom Child Process

edit

A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

New Zoom Executable

Rule query

edit
event.category:process and event.type:(start or process_started) and
process.parent.name:Zoom.exe and not process.name:(Zoom.exe or
WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or
cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or
zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or
plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or
APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe
or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or
RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or
firefox.exe or iexplore.exe or outlook.exe or lync.exe or
ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe
or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or
mphost.exe or APcptControl.exe or winword.exe or excel.exe or
powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or
zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or
vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe
or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)

Threat mapping

edit

Framework: MITRE ATT&CKTM