Zoom Meeting with no Passcode

 1[metadata]
 2creation_date = "2020/09/14"
 3maturity = "production"
 4updated_date = "2025/01/15"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
10Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
11Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
12conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
13that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
14"""
15index = ["filebeat-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Zoom Meeting with no Passcode"
19references = [
20    "https://blog.zoom.us/a-message-to-our-users/",
21    "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
22]
23risk_score = 47
24rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
25setup = """## Setup
26
27The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
28severity = "medium"
29tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
35  event.action:meeting.created and not zoom.meeting.password:*
36'''
37note = """## Triage and analysis
38
39> **Disclaimer**:
40> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
41
42### Investigating Zoom Meeting with no Passcode
43
44Zoom meetings without passcodes are vulnerable to unauthorized access, known as Zoombombing, where intruders disrupt sessions with inappropriate content. Adversaries exploit this by joining unsecured meetings to cause chaos or gather sensitive information. The detection rule identifies such meetings by monitoring Zoom event logs for sessions created without a passcode, helping to mitigate potential security breaches.
45
46### Possible investigation steps
47
48- Review the Zoom event logs to identify the specific meeting details, including the meeting ID and the organizer's information, using the fields event.type, event.module, event.dataset, and event.action.
49- Contact the meeting organizer to verify if the meeting was intentionally created without a passcode and understand the context or purpose of the meeting.
50- Check for any unusual or unauthorized participants who joined the meeting by examining the participant logs associated with the meeting ID.
51- Assess if any sensitive information was discussed or shared during the meeting that could have been exposed to unauthorized participants.
52- Evaluate the need to implement additional security measures, such as enabling passcodes for all future meetings or using waiting rooms to control participant access.
53
54### False positive analysis
55
56- Internal team meetings may be scheduled without a passcode for convenience, especially if all participants are within a secure network. To handle this, create exceptions for meetings initiated by trusted internal users or within specific IP ranges.
57- Recurring meetings with a consistent group of participants might not use passcodes to simplify access. Consider excluding these meetings by identifying and whitelisting their unique meeting IDs.
58- Training sessions or webinars intended for a broad audience might be set up without passcodes to ease access. Implement a policy to review and approve such meetings in advance, ensuring they are legitimate and necessary.
59- Meetings created by automated systems or bots for integration purposes may not require passcodes. Identify these systems and exclude their meeting creation events from triggering alerts.
60- In some cases, meetings may be intentionally left without passcodes for public access, such as community events. Establish a process to verify and document these events, allowing them to be excluded from the rule.
61
62### Response and remediation
63
64- Immediately terminate any ongoing Zoom meetings identified without a passcode to prevent further unauthorized access or disruption.
65- Notify the meeting host and relevant stakeholders about the security incident, advising them to reschedule the meeting with appropriate security measures, such as enabling a passcode or waiting room.
66- Review and update Zoom account settings to enforce mandatory passcodes for all future meetings, ensuring compliance with security policies.
67- Conduct a security audit of recent Zoom meetings to identify any other sessions that may have been created without a passcode and take corrective actions as necessary.
68- Escalate the incident to the IT security team for further investigation and to assess any potential data breaches or information leaks resulting from the unauthorized access.
69- Implement enhanced monitoring and alerting for Zoom meeting creation events to quickly detect and respond to any future instances of meetings being set up without passcodes.
70- Coordinate with the communications team to prepare a response plan for any potential public relations issues arising from the incident, ensuring clear and consistent messaging."""
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1190"
77name = "Exploit Public-Facing Application"
78reference = "https://attack.mitre.org/techniques/T1190/"
79
80
81[rule.threat.tactic]
82id = "TA0001"
83name = "Initial Access"
84reference = "https://attack.mitre.org/tactics/TA0001/"