Skip to content
Threat Feed
medium advisory

Suspicious Zoom Child Process Activity

The spawning of command interpreters (cmd.exe, powershell.exe, pwsh.exe) as child processes of Zoom.exe is indicative of potential exploitation or malicious masquerading, allowing attackers to execute arbitrary commands within the context of the Zoom application.

This threat brief addresses the suspicious execution of command interpreters (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe) as child processes of Zoom.exe on Windows systems. While Zoom is a legitimate communication tool, attackers may exploit vulnerabilities within the application or use it as a vehicle for masquerading their malicious activities. This activity, detected via process monitoring, can be indicative of remote code execution, privilege escalation, or other unauthorized actions. This detection is relevant across multiple Windows environments utilizing Zoom, irrespective of specific Zoom versions. Timely detection of such behavior is crucial to prevent further compromise.

Attack Chain

  1. Initial Access: User launches the legitimate Zoom application.
  2. Exploitation/Masquerading: Attacker exploits a vulnerability in Zoom or utilizes it to masquerade malicious processes.
  3. Command Execution: The exploited or compromised Zoom process spawns a command interpreter (cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe) as a child process.
  4. Code Injection (Optional): Attacker injects malicious code into the spawned command interpreter.
  5. Privilege Escalation (Optional): Attacker leverages the command interpreter to escalate privileges on the system.
  6. Lateral Movement (Optional): Attacker uses the command interpreter to move laterally within the network.
  7. Persistence (Optional): Attacker establishes persistence through the command interpreter by creating scheduled tasks or modifying registry keys.
  8. Impact: The attacker achieves their objective, such as data exfiltration, system compromise, or further malicious activities.

Impact

Successful exploitation could lead to arbitrary code execution within the context of the user running Zoom. This could result in data theft, installation of malware, or further compromise of the system. The risk is elevated if the user has administrative privileges. The number of affected systems depends on the prevalence of the Zoom application within the organization and the speed of patching known vulnerabilities.

Recommendation

  • Deploy the Sigma rule Suspicious Zoom Child Process Spawning Command Interpreter to your SIEM to detect the described behavior.
  • Enable process monitoring with command-line logging on Windows endpoints to ensure the Sigma rule can function correctly.
  • Investigate any alerts generated by the Suspicious Zoom Child Process Spawning Command Interpreter rule, focusing on the specific commands executed and the parent process tree.
  • Implement application control policies to restrict the execution of unauthorized applications, including command interpreters, from running as child processes of Zoom (reference the Sigma rule for process names).
  • Regularly patch Zoom and other third-party applications to mitigate known vulnerabilities that could be exploited (reference the "Overview" section).

Detection coverage 2

Suspicious Zoom Child Process Spawning Command Interpreter

medium

Detects the spawning of command interpreters (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe) as child processes of Zoom.exe, which could indicate exploitation or masquerading.

sigma tactics: defense_evasion, execution techniques: T1036, T1059.001, T1059.003 sources: process_creation, windows

Suspicious Zoom Child Process Command Line Arguments

high

Detects suspicious command line arguments when cmd.exe, powershell.exe, pwsh.exe or powershell_ise.exe are spawned as child processes of Zoom.exe.

sigma tactics: defense_evasion, execution techniques: T1036, T1059.001, T1059.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →