Zoom Meeting with no Passcode
This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/14"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2023/10/19"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
12Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
13Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
14conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
15that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
16"""
17index = ["filebeat-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Zoom Meeting with no Passcode"
21references = [
22 "https://blog.zoom.us/a-message-to-our-users/",
23 "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
24]
25risk_score = 47
26rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
27setup = """## Setup
28
29The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
30severity = "medium"
31tags = [
32 "Data Source: Zoom",
33 "Use Case: Configuration Audit",
34 "Tactic: Initial Access"
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
41 event.action:meeting.created and not zoom.meeting.password:*
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1190"
49name = "Exploit Public-Facing Application"
50reference = "https://attack.mitre.org/techniques/T1190/"
51
52
53[rule.threat.tactic]
54id = "TA0001"
55name = "Initial Access"
56reference = "https://attack.mitre.org/tactics/TA0001/"
References
-
With the flood of new users, part of the challenge is ensuring that we provide the proper training, tools, and support to help them understand their own account features and how best to use the platform.
Read More
Related rules
- Microsoft 365 Impossible travel activity
- Potential Buffer Overflow Attack Detected
- Potential Remote Code Execution via Web Server
- Suspicious Browser Child Process
- Suspicious macOS MS Office Child Process