Zoom Meeting with no Passcode

 1[metadata]
 2creation_date = "2020/09/14"
 3maturity = "production"
 4updated_date = "2024/05/21"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
10Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
11Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
12conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
13that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
14"""
15index = ["filebeat-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Zoom Meeting with no Passcode"
19references = [
20    "https://blog.zoom.us/a-message-to-our-users/",
21    "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
22]
23risk_score = 47
24rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
25setup = """## Setup
26
27The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
28severity = "medium"
29tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
35  event.action:meeting.created and not zoom.meeting.password:*
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1190"
43name = "Exploit Public-Facing Application"
44reference = "https://attack.mitre.org/techniques/T1190/"
45
46
47[rule.threat.tactic]
48id = "TA0001"
49name = "Initial Access"
50reference = "https://attack.mitre.org/tactics/TA0001/"