Zoom room systems exhibiting high CPU usage could indicate adversarial processes running in memory, leveraging T1542 techniques to maintain persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of critical collaboration devices.
KQL Query
ZoomLogs
| where Event =~ "zoomroom.alert"
| extend AlertType = toint(parse_json(RoomEvents).AlertType), AlertKind = toint(parse_json(RoomEvents).AlertKind)
| extend RoomName = payload_object_room_name_s, User = payload_object_email_s
| where AlertType == 1 and AlertKind == 1
| extend timestamp = TimeGenerated, AccountCustomEntity = User
// Uncomment the lines below to analyse event over time
//| summarize count() by bin(TimeGenerated, 1h), RoomName
//| render timechart
id: 79cf4646-0959-442f-9707-60fc66eb8145
name: Zoom room high CPU alerts
description: |
'This hunting query identifies Zoom room systems with high CPU alerts that may be a sign of device compromise.'
requiredDataConnectors: []
tactics:
- DefenseEvasion
- Persistence
relevantTechniques:
- T1542
query: |
ZoomLogs
| where Event =~ "zoomroom.alert"
| extend AlertType = toint(parse_json(RoomEvents).AlertType), AlertKind = toint(parse_json(RoomEvents).AlertKind)
| extend RoomName = payload_object_room_name_s, User = payload_object_email_s
| where AlertType == 1 and AlertKind == 1
| extend timestamp = TimeGenerated, AccountCustomEntity = User
// Uncomment the lines below to analyse event over time
//| summarize count() by bin(TimeGenerated, 1h), RoomName
//| render timechart
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Other" ]Scenario: Scheduled Zoom Meeting Backup or Sync Job
Description: A legitimate scheduled job runs to back up or sync meeting data, which temporarily spikes CPU usage.
Filter/Exclusion: Exclude processes associated with Zoom Backup Service or Zoom Sync Task using the process name or command line arguments.
Scenario: System Maintenance or Patching via SCCM or WSUS
Description: A system update or patching task initiated by SCCM or WSUS may cause temporary high CPU usage on the Zoom room device.
Filter/Exclusion: Exclude processes related to Microsoft Endpoint Manager or WsusClean.exe using the process name or parent process.
Scenario: Zoom Room Audio/Video Encoding During a Live Meeting
Description: During a live meeting, the Zoom room device may use high CPU for audio/video encoding, which is normal behavior.
Filter/Exclusion: Exclude processes with zoomclient.exe or zoom_win.exe that are running during active meetings using the process name and time-based filters.
Scenario: Antivirus or Endpoint Protection Scan
Description: A full system scan by an antivirus tool like Bitdefender, Kaspersky, or Microsoft Defender may cause temporary high CPU usage on the Zoom room device.
Filter/Exclusion: Exclude processes related to antivirus tools (e.g., bdagent.exe, kavsvc.exe, MsMpEng.exe) using the process name or service name.
Scenario: Remote Administration or Configuration via PowerShell or Remote Desktop
Description: An admin may be remotely configuring the Zoom room using PowerShell or RDP, which can cause a temporary CPU spike.
Filter/Exclusion: Exclude processes with powershell.exe or mstsc.exe that are initiated by known admin accounts or during scheduled maintenance windows.