[New Rule] Zoom Meeting With No Passcode

[peasead]

Description

This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.

Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that are lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.

Required Info

• Eventing Sources:
  Filebeat with Zoom module enabled

• Target Operating Systems:
  Windows, Linux, macOS

• Platforms
  Zoom

• Target ECS Version: 1.6.0

• New fields required in ECS for this? NA

• Related issues or PRs

Optional Info

• References:
  • https://blog.zoom.us/a-message-to-our-users/
  • https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

Example Data

Meeting with no passcode (what the rule detects)

{
  "_index": "[redacted]",
  "_type": "_doc",
  "_id": "71SB7nMBKeQixZraigDT",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "http_endpoint"
    },
    "observer": {
      "product": "Webhook",
      "vendor": "Zoom"
    },
    "agent": {
      "name": "[redacted].local",
      "id": "[redacted]",
      "ephemeral_id": "[redacted]",
      "type": "filebeat",
      "version": "8.0.0"
    },
    "@timestamp": "2020-08-14T19:45:32.852Z",
    "ecs": {
      "version": "1.5.0"
    },
    "related": {
      "user": [
        "[redacted]",
        "[redacted]"
      ]
    },
    "service": {
      "type": "zoom"
    },
    "zoom": {
      "account_id": "[redacted]",
      "operator_id": "[redacted]",
      "meeting": {
        "start_time": "2020-08-14T19:45:00Z",
        "timezone": "America/Los_Angeles",
        "topic": "[redacted]",
        "id": [redacted],
        "type": 2,
        "uuid": "[redacted]",
        "host_id": "[redacted]"
      },
      "operator": "[redacted]"
    },
    "fileset": {
      "name": "webhook"
    },
    "event": {
      "duration": 3600000000000,
      "ingested": "2020-08-14T19:45:33.906313Z",
      "timezone": "-05:00",
      "kind": [
        "event"
      ],
      "module": "zoom",
      "action": "meeting.created",
      "type": [
        "info",
        "creation"
      ],
      "dataset": "zoom.webhook"
    },
    "tags": [
      "zoom-webhook",
      "forwarded"
    ]
  },
  "fields": {
    "event.ingested": [
      "2020-08-14T19:45:33.906Z"
    ],
    "@timestamp": [
      "2020-08-14T19:45:32.852Z"
    ],
    "zoom.meeting.start_time": [
      "2020-08-14T19:45:00.000Z"
    ],
    "suricata.eve.timestamp": [
      "2020-08-14T19:45:32.852Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@kibana-highlighted-field@meeting.created@/kibana-highlighted-field@"
    ],
    "event.type": [
      "@kibana-highlighted-field@creation@/kibana-highlighted-field@"
    ],
    "event.kind": [
      "@kibana-highlighted-field@event@/kibana-highlighted-field@"
    ],
    "event.dataset": [
      "@kibana-highlighted-field@zoom.webhook@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1597434332852
  ]
}