Try in Splunk Security Cloud

Description

Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-04-13
  • Author: David Dorsey, Splunk
  • ID: aa3749a6-49c7-491e-a03f-4eaee5fe0258

Narrative

Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.
Current detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.

Detections

Name Technique Type
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
First Time Seen Child Process of Zoom Exploitation for Privilege Escalation Anomaly

Reference

source | version: 1