IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Suspicious WerFault Child Process Suspicious macOS MS Office Child Process »
Elastic Docs Elastic Security Solution [7.14] Detections and alerts Prebuilt rule reference

Suspicious Zoom Child Process

edit

Suspicious Zoom Child Process

edit

A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
process where event.type in ("start", "process_started", "info") and
process.parent.name : "Zoom.exe" and process.name : ("cmd.exe",
"powershell.exe", "pwsh.exe")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)

  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
process.parent.name:Zoom.exe and not process.name:(Zoom.exe or
WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or
cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or
zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or
plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or
APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe
or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or
RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or
firefox.exe or iexplore.exe or outlook.exe or lync.exe or
ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe
or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or
mphost.exe or APcptControl.exe or winword.exe or excel.exe or
powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or
zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or
vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe
or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)
« Suspicious WerFault Child Process Suspicious macOS MS Office Child Process »