forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuspicious_zoom_child_processes.yml
29 lines (28 loc) · 1.27 KB
/
suspicious_zoom_child_processes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: Suspicious Zoom Child Processes
id: aa3749a6-49c7-491e-a03f-4eaee5fe0258
version: 1
date: '2020-04-13'
author: David Dorsey, Splunk
description: Attackers are using Zoom as an vector to increase privileges on a sytems.
This story detects new child processes of zoom and provides investigative actions
for this detection.
narrative: 'Zoom is a leader in modern enterprise video communications and its usage
has increased dramatically with a large amount of the population under stay-at-home
orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny
and several security flaws have been found with this application on both Windows
and macOS systems.\
Current detections focus on finding new child processes of this application on a
per host basis. Investigative searches are included to gather information needed
during an investigation.'
references:
- https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/
- https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/
tags:
analytic_story: Suspicious Zoom Child Processes
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection