Detecting Zoom Haxxers

Zoom is a pretty popular topic now that it supports the global economy entirely. That has driven a lot of researchers to go after the platform in interesting ways.

screen1

screen2

screen3

In the group chat, Zoom will allow for these links to be presented to users as clickable without presenting the users with an idea of what they really do. This could potentially lead to some bad actors getting users to click on things they shouldn’t. This attack isn't the worst thing in the world, but it is an interesting and current example of something you can write detections for.

\\127.0.0.1\C$\Windows\System32\calc.exe : open Calc.exe (or any other process)

\\?http://youtube.com/watch?v=123124124&title=ZXhwbG9pdAo=........\Users\vagrant\Docume~1\exploit.bat : run a batch file in the Documents folder… while appearing to be from Youtube .

Let's see if we can utilize the flexibility of Limacharlie to see the processes and perhaps create some detection logic to get some notifications if this is happening. We can see what telemetry is generated when clicked:

screen4

screen5

Both of these pieces of telemetry have the parent process Zoom running either calc.exe from a UNC path or cmd.exe which generally shouldn’t be expected. So how do we detect this at scale?

Using the Sigma format https://github.com/Neo23x0/sigma, we can create a generic rule for detection to use with any technology that it supports:

title: Zoom as Parent  
status: experimental  
description: Detects the creation of a process from Zoom  
tags:  
    - attack.execution
author: John Tuckner  
date: 2020/04/01  
logsource:  
    category: process_creation
    product: windows
detection:  
    selection:
        ParentImage:
            - '*\Zoom.exe'
        Image:
            - 'UNC*'
            - '*\cmd.exe'
    condition: selection
fields:  
    - Image
    - ParentImage
falsepositives:  
    - Zoom being secure
level: low  

This rule states that any cmd.exe or UNC path derived processes with the parent process being Zoom should be alerted on. Next, lets translate that into Limacharlie D&R rules:

python tools/sigmac -t limacharlie ~/dev/sigmarules/zoom.yml

detect:  
  events:
  - NEW_PROCESS
  - EXISTING_PROCESS
  op: and
  rules:
  - op: is windows
  - op: and
    rules:
    - case sensitive: false
      op: ends with
      path: event/PARENT/FILE_PATH
      value: \Zoom.exe
    - op: or
      rules:
      - case sensitive: false
        op: starts with
        path: event/FILE_PATH
        value: UNC
      - case sensitive: false
        op: ends with
        path: event/FILE_PATH
        value: \cmd.exe
respond:  
- action: report
  metadata:
    author: John Tuckner
    description: Detects the creation of a process from Zoom
    falsepositives:
    - Zoom being secure
    level: low
    tags:
    - attack.execution
  name: Zoom as Parent

Boom! Now we have a Limacharlie detection ready to implement. Once that is done, if we see another attack happen, we’ll get a detection generated and even perhaps see in your platform of choice like Chronicle!

screen6

John Tuckner

Read more posts by this author.