Zoom is a pretty popular topic now that it supports the global economy entirely. That has driven a lot of researchers to go after the platform in interesting ways.
In the group chat, Zoom will allow for these links to be presented to users as clickable without presenting the users with an idea of what they really do. This could potentially lead to some bad actors getting users to click on things they shouldn’t. This attack isn't the worst thing in the world, but it is an interesting and current example of something you can write detections for.
\\127.0.0.1\C$\Windows\System32\calc.exe : open Calc.exe (or any other process)
\\?http://youtube.com/watch?v=123124124&title=ZXhwbG9pdAo=........\Users\vagrant\Docume~1\exploit.bat : run a batch file in the Documents folder… while appearing to be from Youtube .
Let's see if we can utilize the flexibility of Limacharlie to see the processes and perhaps create some detection logic to get some notifications if this is happening. We can see what telemetry is generated when clicked:
Both of these pieces of telemetry have the parent process Zoom running either
calc.exe from a UNC path or
cmd.exe which generally shouldn’t be expected. So how do we detect this at scale?
Using the Sigma format https://github.com/Neo23x0/sigma, we can create a generic rule for detection to use with any technology that it supports:
title: Zoom as Parent status: experimental description: Detects the creation of a process from Zoom tags: - attack.execution author: John Tuckner date: 2020/04/01 logsource: category: process_creation product: windows detection: selection: ParentImage: - '*\Zoom.exe' Image: - 'UNC*' - '*\cmd.exe' condition: selection fields: - Image - ParentImage falsepositives: - Zoom being secure level: low
This rule states that any
cmd.exe or UNC path derived processes with the parent process being Zoom should be alerted on. Next, lets translate that into Limacharlie D&R rules:
python tools/sigmac -t limacharlie ~/dev/sigmarules/zoom.yml
detect: events: - NEW_PROCESS - EXISTING_PROCESS op: and rules: - op: is windows - op: and rules: - case sensitive: false op: ends with path: event/PARENT/FILE_PATH value: \Zoom.exe - op: or rules: - case sensitive: false op: starts with path: event/FILE_PATH value: UNC - case sensitive: false op: ends with path: event/FILE_PATH value: \cmd.exe respond: - action: report metadata: author: John Tuckner description: Detects the creation of a process from Zoom falsepositives: - Zoom being secure level: low tags: - attack.execution name: Zoom as Parent
Boom! Now we have a Limacharlie detection ready to implement. Once that is done, if we see another attack happen, we’ll get a detection generated and even perhaps see in your platform of choice like Chronicle!