Zoom Meeting with no Passcode

This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/14"
 3maturity = "production"
 4updated_date = "2024/05/21"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
10Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
11Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
12conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
13that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
14"""
15index = ["filebeat-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Zoom Meeting with no Passcode"
19references = [
20    "https://blog.zoom.us/a-message-to-our-users/",
21    "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
22]
23risk_score = 47
24rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
25setup = """## Setup
26
27The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
28severity = "medium"
29tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
35  event.action:meeting.created and not zoom.meeting.password:*
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1190"
43name = "Exploit Public-Facing Application"
44reference = "https://attack.mitre.org/techniques/T1190/"
45
46
47[rule.threat.tactic]
48id = "TA0001"
49name = "Initial Access"
50reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top