Technical Tip: How to use FortiAnalyzer to detect activities related to exploits of Windows Installer vulnerability

This article describes how to use a custom Event Handler in FortiAnalyzer to detect activities related to exploits of the Windows Installer vulnerability.

The vulnerability is assigned CVE-2021-41379.

What is included in Fortinet_SOC-Windows-Installer-Detection.zip?

1) Windows Installer Zero-Day_event-handler.json
This event handler helps identify exploit attempts detected by FortiGate's anti virus, IPS and App Control detection.

Also it relies on FortiClient’s anti virus, Vulnerability and web filter detection as well as FortiSandbox detection.

Logs triggering the event handler are generated from the FortiGate, FortiClient and FortiSandbox.

Therefore, their corresponding AV signature should be kept up to date to prevent and log the exploits.

The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+.

All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.

1) Download the Fortinet_SOC-Windows-Installer-Detection.zip file (contains 2 files).

2) Unzip Fortinet_SOC-Windows-Installer-Detection.zip.

3) Use Windows Installer Zero-Day_event-handler.json to import into Event Handlers:
- Choose an ADOM (if ADOMs are enabled).
- Choose the FortiSOC module.
- Select Event Handler List.
- Select the Import option under 'More'.
- Select Windows Installer Zero-Day_event-handler.json.

Result.

Windows Installer Zero-Day_event-handler.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported.