Content(add): Zoom hardening guide for opsec/endpoint

docs/pages/guides/endpoint-security/index.mdx

@@ -0,0 +1,14 @@
+---
+title: "Endpoint Security"
+---
+
+{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */}
+
+# Endpoint Security
+
+> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of
+> navigating directory paths directly.
+
+## Pages
+
+- [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening)

docs/pages/guides/endpoint-security/zoom-hardening.mdx

@@ -0,0 +1,142 @@
+---
+title: "Zoom Hardening Guide | Security Alliance"
+description: "Harden Zoom against remote control attacks like ELUSIVE COMET. Disable remote control, deploy macOS PPPC profiles, and train users to reject social engineering."
+tags:
+  - Security Specialist
+  - Operations & Strategy
+contributors:
+  - role: wrote
+    users: [dickson]
+  - role: reviewed
+    users: []
+  - role: fact-checked
+    users: []
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Zoom Hardening Guide
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+> 🔑 **Key Takeaway**: Zoom's remote control and accessibility features are active attack vectors. Disable remote control, use browser-based Zoom when possible, deploy PPPC profiles on macOS, and train users to reject unexpected permission requests.
+
+## Why Zoom is a target
+
+Zoom's **remote control** feature allows a participant to request full control of another user's computer once screen sharing is active. Threat actors social-engineer victims into sharing their entire screen, then request remote control to install malware and exfiltrate credentials, private keys, and session tokens.
+
+The most prominent example is **ELUSIVE COMET** — a threat actor impersonating investors, journalists, and podcast hosts to lure crypto holders onto Zoom calls, pressure them into full-screen sharing (claiming audio/video issues), then take over their machine via remote control.
+
+If already compromised, see the [ELUSIVE COMET incident response playbook](/incident-management/playbooks/hacked-elusive-comet).
+
+## Immediate hardening steps
+
+Apply these settings in the [Zoom web portal](https://zoom.us/profile/setting). Sign in, click **Settings** in the left sidebar, then navigate to the **Meeting** tab.
+
+### Required
+
+These mitigations address the specific attack vectors described in the Trail of Bits ELUSIVE COMET research and should be treated as **non-negotiable** for any organization handling sensitive assets.
+
+- [ ] **Disable remote control**: Settings > Meeting > In Meeting (Basic) > Remote control > **OFF**
+- [ ] **Disable participant screen sharing (host only)**: Settings > Meeting > In Meeting (Basic) > Screen sharing > Who can share? > **Host Only**
+- [ ] **Never grant Zoom accessibility permissions (macOS)**: If Zoom prompts for accessibility access, **deny it**. These permissions let remote control interact with your entire system.
+- [ ] **Prefer browser-based Zoom**: Join via `zoom.us/join` instead of the desktop client. No remote control capability, no accessibility permissions.
+- [ ] **Use SSO/OAuth authentication**: Use SSO or OAuth instead of Zoom-native accounts for centralized credential management and MFA.
+- [ ] **Deploy PPPC profiles / revoke TCC permissions (macOS)**: See [macOS mitigations](#macos-specific-mitigations) below.
+- [ ] **Remove Zoom desktop client when possible**: Uninstall entirely to eliminate the attack surface.
+
+### Optional
+
+General Zoom security best practices. These do not directly mitigate the ELUSIVE COMET attack but improve overall meeting security hygiene.
+
+- [ ] **Enable waiting rooms**: Settings > Meeting > Security > Waiting Room > **ON**
+- [ ] **Require meeting passcodes**: Settings > Meeting > Security > Require a passcode when scheduling new meetings > **ON**
+- [ ] **Disable automatic recording**: Settings > Meeting > Recording > Automatic recording > **OFF** (enable only when explicitly needed)
+
+## macOS-specific mitigations
+
+macOS TCC governs per-app accessibility permissions. Trail of Bits published scripts to lock this down:
+
+### Revoke existing Zoom accessibility permissions
+
+If Zoom already has accessibility access, revoke it immediately:
+
+```bash
+# Revoke Zoom's accessibility permissions via tccutil
+tccutil reset Accessibility us.zoom.xos
+```
+
+Verify removal in **System Settings > Privacy & Security > Accessibility** — Zoom should no longer appear or should be toggled off.
+
+### Deploy PPPC profiles to block accessibility requests
+
+PPPC profiles block Zoom from receiving accessibility permissions even if a user clicks "Allow." Deploy fleet-wide via MDM/Jamf or manually via `profiles`/Apple Configurator.
+
+### Complete Zoom uninstallation
+
+All macOS mitigation scripts (PPPC profiles, tccutil, uninstall) are available at:
+[Trail of Bits — Zoom mitigations](https://github.com/trailofbits/it-releases/tree/main/Zoom%20migitations)
+
+## Organizational policies
+
+For teams, DAOs, and organizations handling sensitive assets:
+
+### Prefer alternative meeting platforms for sensitive discussions
+
+Use **Google Meet**, **Jitsi**, or other browser-native platforms for calls involving treasury operations, key ceremonies, or sensitive governance decisions. These platforms do not have a remote control feature.
+
+### Enforce browser-based Zoom when Zoom is required
+
+If a counterparty insists on Zoom, join through the browser (`zoom.us/join`). The web client lacks the remote control feature entirely and cannot request accessibility permissions.
+
+### Regularly purge the Zoom desktop client
+
+Remove the desktop client where not required. On managed fleets, use MDM to block installation.
+
+### Social engineering awareness training
+
+Train all team members on the remote control attack pattern:
+
+1. Attacker schedules a Zoom call (often posing as an investor, journalist, or partner).
+2. Attacker pressures victim to share their **entire screen** (not just a window).
+3. Attacker (or a bot named "Zoom") requests remote control access.
+4. Victim approves the request, and the attacker installs malware.
+
+> **If a meeting participant asks you to share your screen and then requests remote control, END THE CALL IMMEDIATELY.** This is the single most effective defense.
+
+### Meeting hygiene policies
+
+- Only the host should share their screen by default.
+- Never share your entire screen — share a specific window if you must.
+- Do not join meetings from unknown or unsolicited links without verifying the organizer's identity through a separate channel.
+
+## Detection signals
+
+Red flags during a Zoom call that suggest an attack in progress:
+
+| Signal | Why it matters |
+| --- | --- |
+| Asked to share your **entire screen** (not a specific window) | Remote control only works when the full screen is shared |
+| A participant named **"Zoom"** appears in the call | ELUSIVE COMET uses a bot with this display name to send the remote control request |
+| A **remote control request** dialog appears | Legitimate meetings almost never require remote control |
+| Urgency pressure: *"I can't see/hear you, you need to share your whole screen"* | Social engineering tactic to get full-screen access |
+| Request from unknown **"investors"** or **"journalists"** for a Zoom call | Common ELUSIVE COMET pretext — verify identity through independent channels before joining |
+| Zoom suddenly requests **accessibility permissions** on macOS | Indicates an attempt to enable remote control capabilities |
+
+**Response:** Do not approve any request. Leave the call immediately. If compromised, follow the [ELUSIVE COMET playbook](/incident-management/playbooks/hacked-elusive-comet).
+
+## Further reading
+
+- [Trail of Bits — Zoom mitigations (PPPC profiles, tccutil scripts, uninstall scripts)](https://github.com/trailofbits/it-releases/tree/main/Zoom%20migitations)
+- [ELUSIVE COMET incident response playbook](/incident-management/playbooks/hacked-elusive-comet) — what to do if you've already been compromised
+- [SEAL Advisories](https://securityalliance.org) — ongoing threat intelligence for the crypto ecosystem
+- [Zoom Security Settings documentation](https://support.zoom.us/hc/en-us/articles/360043150271-Zoom-security-settings)
+
+---
+
+</TagProvider>
+<ContributeFooter />

vocs.config.tsx

@@ -461,6 +461,13 @@ const config = {
             { text: 'Vercel Security', link: '/guides/account-management/vercel' },
           ]
         },
+        {
+          text: 'Endpoint Security',
+          collapsed: true,
+          items: [
+            { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' },
+          ]
+        },
       ]
     },
     {