process where host.os.type == "windows" and event.type == "start" and
not process.executable :
("?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe") and
(
/* Slack */
(process.parent.name : "slack.exe" and not
(
(
process.executable : (
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
"?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe",
"?:\\Windows\\System32\\rundll32.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Windows\\System32\\notepad.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"Slack Technologies, Inc.",
"Slack Technologies, LLC"
) and process.code_signature.trusted == true
) or
(
(process.name : "powershell.exe" and process.command_line : "powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*") or
(process.name : "cmd.exe" and process.command_line : "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"%windir%\\System32\\rundll32.exe User32.dll,SetFocus 0\"")
)
)
) or
/* WebEx */
(process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not
(
(
process.executable : (
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"Cisco Systems, Inc.",
"Cisco WebEx LLC",
"Cisco Systems Inc."
) and process.code_signature.trusted == true
)
)
) or
/* Teams */
(process.parent.name : "Teams.exe" and not
(
(
process.executable : (
"?:\\Windows\\BrowserCore\\BrowserCore.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"Microsoft Corporation",
"Microsoft 3rd Party Application Component"
) and process.code_signature.trusted == true
) or
(
(process.name : "taskkill.exe" and process.args : "Teams.exe")
)
)
) or
/* Discord */
(process.parent.name : "Discord.exe" and not
(
(
process.executable : (
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Windows\\System32\\reg.exe",
"?:\\Windows\\SysWOW64\\reg.exe"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"Discord Inc."
) and process.code_signature.trusted == true
) or
(
process.name : "cmd.exe" and
(
process.command_line : (
"C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"chcp\"",
"C:\\WINDOWS\\system32\\cmd.exe /q /d /s /c \"C:\\Program^ Files\\NVIDIA^ Corporation\\NVSMI\\nvidia-smi.exe\""
) or
process.args : (
"C:\\WINDOWS/System32/nvidia-smi.exe",
"C:\\WINDOWS\\System32\\nvidia-smi.exe",
"C:\\Windows\\System32\\DriverStore\\FileRepository/*/nvidia-smi.exe*"
)
)
)
)
) or
/* WhatsApp */
(process.parent.name : "Whatsapp.exe" and not
(
(
process.executable : (
"?:\\Windows\\System32\\reg.exe",
"?:\\Windows\\SysWOW64\\reg.exe"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"WhatsApp LLC",
"WhatsApp, Inc",
"24803D75-212C-471A-BC57-9EF86AB91435"
) and process.code_signature.trusted == true
) or
(
(process.name : "cmd.exe" and process.command_line : "C:\\Windows\\system32\\cmd.exe /d /s /c \"C:\\Windows\\system32\\wbem\\wmic.exe*")
)
)
) or
/* Zoom */
(process.parent.name : "Zoom.exe" and not
(
(
process.executable : (
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"Zoom Video Communications, Inc."
) and process.code_signature.trusted == true
)
)
) or
/* Thunderbird */
(process.parent.name : "thunderbird.exe" and not
(
(
process.executable : (
"?:\\Windows\\splwow64.exe",
"?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.EXE"
) and process.code_signature.trusted == true
) or
(
process.code_signature.subject_name : (
"Mozilla Corporation"
) and process.code_signature.trusted == true
)
)
)
)
Install detection rules in Elastic Security
Detect Suspicious Communication App Child Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).