{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/configuration-audit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zoom Meetings"],"_cs_severities":["medium"],"_cs_tags":["zoom","initial-access","configuration-audit","zoombombing"],"_cs_type":"advisory","_cs_vendors":["Zoom"],"content_html":"\u003cp\u003eThis brief focuses on the risk associated with Zoom meetings created without a passcode. When meetings lack this basic security measure, they become vulnerable to \u0026quot;Zoombombing,\u0026quot; where unauthorized individuals disrupt the session with offensive or inappropriate content. The Elastic detection rule, published on 2026-04-10, identifies such meetings by monitoring Zoom event logs. This is particularly relevant for organizations using Zoom for internal and external communication, as the lack of a passcode can lead to reputational damage, exposure of sensitive information, and overall disruption of business operations. Ensuring that all meetings are password-protected is a simple yet effective way to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Zoom meeting is created by a user without enabling the passcode feature.\u003c/li\u003e\n\u003cli\u003eThe meeting details (including the meeting ID) are potentially shared publicly or become discoverable through automated tools.\u003c/li\u003e\n\u003cli\u003eAttackers or malicious actors identify the unprotected Zoom meeting.\u003c/li\u003e\n\u003cli\u003eAttackers join the meeting without any authentication or authorization.\u003c/li\u003e\n\u003cli\u003eOnce inside the meeting, attackers disrupt the session by sharing inappropriate content (e.g., images, videos, audio).\u003c/li\u003e\n\u003cli\u003eParticipants within the meeting are exposed to the offensive content, leading to disruption and potential reputational damage.\u003c/li\u003e\n\u003cli\u003eThe meeting organizer is forced to terminate the session to stop the disruption.\u003c/li\u003e\n\u003cli\u003eThe organization experiences a loss of productivity and may face public criticism due to the incident.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eFailure to secure Zoom meetings with passcodes can lead to significant disruptions, with potential exposure of sensitive information and reputational damage. While the exact number of victims is difficult to quantify, Zoombombing incidents have affected organizations across various sectors. Successful attacks can result in the shutdown of meetings, loss of productivity, and the need for damage control. The impact extends beyond immediate disruption to potential long-term damage to an organization's reputation and client trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect Zoom meetings created without a password.\u003c/li\u003e\n\u003cli\u003eEnable Zoom Filebeat module to properly ingest the Zoom logs required for detection.\u003c/li\u003e\n\u003cli\u003eReview Zoom configuration settings to enforce mandatory passcodes for all future meetings.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for Zoom meeting creation events to quickly detect and respond to any future instances of meetings being set up without passcodes.\u003c/li\u003e\n\u003cli\u003eEducate users on the importance of using passcodes for all Zoom meetings to prevent unauthorized access and potential disruptions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-zoom-meeting-no-passcode/","summary":"Detection of Zoom meetings created without a passcode, which are susceptible to Zoombombing and potential disruption or exposure of sensitive information.","title":"Zoom Meetings Created Without Passcodes","url":"https://feed.craftedsignal.io/briefs/2024-01-29-zoom-meeting-no-passcode/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["low"],"_cs_tags":["azure","keyvault","configuration-audit","impact","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies modifications to Azure Key Vault, a service that safeguards encryption keys and secrets. Given the sensitivity of the data stored, access should be tightly controlled. This detection uses a new terms rule to identify when Key Vault modifications are performed by a user who hasn't been seen performing this activity within a 14-day period. This activity could indicate compromised credentials, insider threats, or misconfigured access controls. This rule helps security teams quickly identify and respond to potentially unauthorized modifications to sensitive resources within Azure environments, specifically targeting unusual user activity that deviates from established baselines. The original rule was created on 2020/08/31, and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account, potentially through credential compromise or account takeover.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to authenticate to the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available Key Vault resources within the Azure subscription.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify a Key Vault configuration, such as changing access policies, secrets, or encryption keys.\u003c/li\u003e\n\u003cli\u003eThe modification is logged as an Azure Activity Log event with operation name \u003ccode\u003eMICROSOFT.KEYVAULT/VAULTS/*\u003c/code\u003e and event outcome of \u003ccode\u003eSuccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;new terms\u0026quot; rule triggers because the user performing the modification (\u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e) is not a known user of Key Vaults, based on a 14-day history.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified Key Vault configuration to access sensitive data or disrupt services.\u003c/li\u003e\n\u003cli\u003eThe attacker may further attempt to cover their tracks by deleting audit logs or other evidence of their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized modifications to Azure Key Vault can have significant consequences, including data breaches, service disruptions, and compliance violations. The rule has a low severity and a risk score of 21. If an attacker successfully modifies a Key Vault, they could potentially access sensitive secrets and encryption keys, leading to the compromise of critical applications and data. This could affect multiple organizations that rely on the compromised Key Vault for securing their cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect unusual Key Vault modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the user (\u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e), the Key Vault resource ID (\u003ccode\u003eazure.activitylogs.resource_id\u003c/code\u003e), and the type of modification (\u003ccode\u003eazure.activitylogs.operation_name\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview Azure Key Vault access policies and ensure that only authorized users and applications have the necessary permissions.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all Azure accounts, especially those with access to sensitive resources like Key Vaults.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for any suspicious activity related to Key Vault modifications (Data Source: Azure Activity Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/","summary":"This rule identifies modifications to Azure Key Vaults by unusual users, potentially leading to data breaches or service disruptions through defense evasion or impact operations.","title":"Azure Key Vault Modified by Unusual User","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/"}],"language":"en","title":"CraftedSignal Threat Feed - Configuration-Audit","version":"https://jsonfeed.org/version/1.1"}