security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Suspicious Zoom ChildProcess (#245)

Browse Source
This commit is contained in:
Samirbous
2020-10-01 01:46:33 +02:00
committed by GitHub
parent 5ba848552a
commit d094c76534
1 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_suspicious_zoom_child_process.toml
+62
View File
@@ -0,0 +1,62 @@
[metadata]
creation_date = "2020/09/03"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/03"
[rule]
author = ["Elastic"]
description = """
A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details
such as command line, network connections, file writes and associated file signature details as well.
"""
false_positives = ["New Zoom Executable"]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Suspicious Zoom Child Process"
risk_score = 47
rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa"
severity = "medium"
tags = ["Elastic", "Windows"]
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.parent.name:Zoom.exe and
not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or
CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or
plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or
Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or
chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or
narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or
excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or
dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"