Suspicious Zoom Child Process Execution

This detection identifies suspicious child processes spawned by Zoom.exe, potentially indicating an attempt to evade detection or exploit vulnerabilities within the Zoom application. The rule focuses on detecting instances where command interpreters like cmd.exe, PowerShell, or PowerShell ISE are launched as child processes of Zoom. This behavior can be indicative of an attacker attempting to execute malicious commands or scripts within the context of the Zoom application, potentially escalating privileges or gaining unauthorized access to system resources. It’s crucial for defenders to investigate such occurrences, as they may signify ongoing exploitation or malicious activity leveraging Zoom as an initial access vector.

Attack Chain

1. User launches the Zoom application (Zoom.exe).
2. A vulnerability in Zoom is exploited, or the user is socially engineered into running a malicious command.
3. Zoom.exe spawns a child process, such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.
4. The spawned process executes commands or scripts, potentially downloading or executing malware.
5. The malicious script or command performs reconnaissance activities on the system.
6. The script establishes persistence by creating a scheduled task or modifying registry keys.
7. The attacker gains remote access to the compromised system.
8. The attacker performs lateral movement and data exfiltration.

Impact

Successful exploitation could allow attackers to execute arbitrary commands, escalate privileges, and compromise the affected system. Depending on the user’s privileges, attackers could gain access to sensitive data, install malware, or pivot to other systems on the network. The impact ranges from data breaches to complete system compromise, potentially affecting all users within the organization who utilize the Zoom application.

Recommendation

• Deploy the Sigma rule “Suspicious Zoom Child Process” to your SIEM to detect command interpreters spawned by Zoom.exe. Tune the rule for your environment to minimize false positives.
• Enable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, which is essential for the Sigma rule above.
• Investigate any alerts generated by the Sigma rule, focusing on the command-line arguments and network connections of the spawned processes.
• Monitor Windows Security Event Logs for process creation events related to Zoom.exe and its child processes to identify suspicious behavior.
• Consider implementing application control policies to restrict the execution of unauthorized processes within the Zoom application context.