Suspicious Zoom Child Process | Elastic Security Solution [7.10]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Suspicious WerFault Child Process Svchost spawning Cmd »

Suspicious Zoom Child Processedit

A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.

Rule type: query

Rule indices:

winlogbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

New Zoom Executable

Rule queryedit

event.category:process and event.type:(start or process_started) and
process.parent.name:Zoom.exe and not process.name:(Zoom.exe or
WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or
cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or
zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or
plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or
APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe
or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or
RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or
firefox.exe or iexplore.exe or outlook.exe or lync.exe or
ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe
or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or
mphost.exe or APcptControl.exe or winword.exe or excel.exe or
powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or
zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or
vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe
or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Process Injection
- ID: T1055
- Reference URL: https://attack.mitre.org/techniques/T1055/

« Suspicious WerFault Child Process Svchost spawning Cmd »