Suspicious Zoom Child Process Activity
The spawning of command interpreters (cmd.exe, powershell.exe, pwsh.exe) as child processes of Zoom.exe is indicative of potential exploitation or malicious masquerading, allowing attackers to execute arbitrary commands within the context of the Zoom application.
This threat brief addresses the suspicious execution of command interpreters (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe) as child processes of Zoom.exe on Windows systems. While Zoom is a legitimate communication tool, attackers may exploit vulnerabilities within the application or use it as a vehicle for masquerading their malicious activities. This activity, detected via process monitoring, can be indicative of remote code execution, privilege escalation, or other unauthorized actions. This detection is relevant across multiple Windows environments utilizing Zoom, irrespective of specific Zoom versions. Timely detection of such behavior is crucial to prevent further compromise.
Attack Chain
- Initial Access: User launches the legitimate Zoom application.
- Exploitation/Masquerading: Attacker exploits a vulnerability in Zoom or utilizes it to masquerade malicious processes.
- Command Execution: The exploited or compromised Zoom process spawns a command interpreter (cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe) as a child process.
- Code Injection (Optional): Attacker injects malicious code into the spawned command interpreter.
- Privilege Escalation (Optional): Attacker leverages the command interpreter to escalate privileges on the system.
- Lateral Movement (Optional): Attacker uses the command interpreter to move laterally within the network.
- Persistence (Optional): Attacker establishes persistence through the command interpreter by creating scheduled tasks or modifying registry keys.
- Impact: The attacker achieves their objective, such as data exfiltration, system compromise, or further malicious activities.
Impact
Successful exploitation could lead to arbitrary code execution within the context of the user running Zoom. This could result in data theft, installation of malware, or further compromise of the system. The risk is elevated if the user has administrative privileges. The number of affected systems depends on the prevalence of the Zoom application within the organization and the speed of patching known vulnerabilities.
Recommendation
- Deploy the Sigma rule
Suspicious Zoom Child Process Spawning Command Interpreterto your SIEM to detect the described behavior. - Enable process monitoring with command-line logging on Windows endpoints to ensure the Sigma rule can function correctly.
- Investigate any alerts generated by the
Suspicious Zoom Child Process Spawning Command Interpreterrule, focusing on the specific commands executed and the parent process tree. - Implement application control policies to restrict the execution of unauthorized applications, including command interpreters, from running as child processes of Zoom (reference the Sigma rule for process names).
- Regularly patch Zoom and other third-party applications to mitigate known vulnerabilities that could be exploited (reference the "Overview" section).
Detection coverage 2
Suspicious Zoom Child Process Spawning Command Interpreter
mediumDetects the spawning of command interpreters (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe) as child processes of Zoom.exe, which could indicate exploitation or masquerading.
Suspicious Zoom Child Process Command Line Arguments
highDetects suspicious command line arguments when cmd.exe, powershell.exe, pwsh.exe or powershell_ise.exe are spawned as child processes of Zoom.exe.
Detection queries are available on the platform. Get full rules →