Techniques
Sample rules
First Time Seen Child Process of Zoom
- source: splunk
- technicques:
- T1068
Description
This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest
| `drop_dm_object_name(Processes)`
| lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen
| where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`")
| `security_content_ctime(firstTime)`
| table firstTime dest, process_id, process_name, parent_process_id, parent_process_name
|`first_time_seen_child_process_of_zoom_filter`