Technical Tip: Using FortiAnalyzer to detect activities related to Active Directory privilege escalation vulnerabilities
| Description | This article describes how to use a custom event handler in FortiAnalyzer to raise alerts for incident response related presence of Active Directory elevation of privilege vulnerabilities.
This escalation attack allows attackers to elevate their privilege to a Domain Admin once they compromise a regular user in the domain. This vulnerability is assigned CVE-2021-42278 and CVE-2021-42287.
For more information about this attack, see the following FortiGuard Outbreak Alert FortiGuard Outbreak Alert - AD Privilege Escalation.
What is included in Fortinet_SOC-Active-Directory-Detection-v2.zip? This event handler helps identify Active Directory privilege escalation exploit attempts detected in FortiClient and FortiGate IPS logs.
2. ad_privilege_escalation_report.dat This report displays the findings on the Active Directory privilege escalation outbreak from FortiClient and FortiGate IPS logs.
3. fgt_AD Privilege Escalation_event-handler.json The event handler for FortiGate ADOMs which is configured for FortiGate logs only.
4. fgt_Active Directory Privilege Escalation_report.dat The report for FortiGate ADOMs which includes FortiGate charts only. |
| Scope | This event handler and report utilize FortiGate IPS and FortiClient logs. |
| Solution | All screen shots provided below for illustration purposes are taken from FortiAnalyzer 7.0.2. 
Result: The event handler is enabled and will be triggered if the appropriate logs are received after the event handler was imported.
4) Use ad_privilege_escalation_report.dat or fgt_Active Directory Privilege Escalation_report.dat to import into Reports 
Result: ‘AD Privilege Escalation Report’ can be run anytime as determined by an admin user. |