Zoom Meeting with no Passcode
This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/14"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2023/10/19"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
12Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
13Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
14conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
15that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
16"""
17index = ["filebeat-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Zoom Meeting with no Passcode"
21references = [
22 "https://blog.zoom.us/a-message-to-our-users/",
23 "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
24]
25risk_score = 47
26rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
27setup = """
28
29The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
30severity = "medium"
31tags = [
32 "Data Source: Zoom",
33 "Use Case: Configuration Audit",
34 "Tactic: Initial Access"
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
41 event.action:meeting.created and not zoom.meeting.password:*
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1190"
49name = "Exploit Public-Facing Application"
50reference = "https://attack.mitre.org/techniques/T1190/"
51
52
53[rule.threat.tactic]
54id = "TA0001"
55name = "Initial Access"
56reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Impossible travel activity
- Microsoft 365 User Restricted from Sending Email