diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml new file mode 100644 index 000000000..53bd8dec3 --- /dev/null +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2020/09/14" +ecs_version = ["1.6.0"] +maturity = "development" +query_schema_validation = false +updated_date = "2020/09/15" + +[rule] +author = ["Elastic"] +description = """ +This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to +Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. +Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video +conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material +that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Zoom Meeting with no Passcode" +note = "This rule requires the Zoom Filebeat module." +references = [ + "https://blog.zoom.us/a-message-to-our-users/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic", +] +risk_score = 47 +rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba" +severity = "medium" +tags = ["Elastic", "SecOps", "Continuous Monitoring", "Configuration Audit"] +type = "query" + +query = ''' +event.type:creation and event.module:zoom and event.dataset:zoom.webhook + and event.action:meeting.created and not zoom.meeting.password:* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/"