Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

This detection identifies when Zoom user accounts are elevated to privileged roles (Admin or Co-Owner).

Strategy

This detection monitors Zoom operation logs for user role elevation events. The rule focuses on events where a user’s role is changed to either “Co-Owner” or “Admin” roles. The detection analyzes events with @evt.category of “User” and @evt.name values of “Update” or “Batch Update” containing specific messages indicating role changes to privileged positions. Events are grouped by the email address of the user making these changes (@usr.email).

Role elevation is significant because privileged accounts can perform sensitive actions such as managing users, modifying security settings, and changing organizational policies. Unauthorized elevation to these roles provides attackers with extensive capabilities to modify the Zoom environment and potentially maintain persistence.

Triage & Response

• Verify whether the role elevation was authorized through proper channels by checking change management documentation.
• Identify which administrator ({{@usr.email}}) performed the role change and confirm legitimacy.
• Examine the target user whose role was elevated to determine business need for privileged access.
• Review administrative actions performed by the newly privileged user following elevation.
• Examine Zoom audit logs for concurrent administrative actions indicating suspicious behavior.
• Ensure privileged account monitoring and implement documented approval process for role changes.