Technical Tip: Using FortiSIEM to detect Follina Microsoft Office RCE vulnerability | CVE-2022-30190

This article describes how to use a custom Rules in FortiSIEM to raise alerts for incident response related to attacks that attempt to leverage the Follina Microsoft Office remote code execution vulnerability.

The exploit leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the 'ms-msdt://' URI scheme to run the malicious payload.

For more information, check the FortiGuard outbreak alert.

What is included in Fortinet_FortiSIEM_Follina.zip?

- A FortiSIEM Rule to help with detection.
- A FortiSIEM Report to help with historical reporting.

1) Use Fortinet_FortiSIEM_Follina_Reports_v1.xml as the file to import the Reports.

- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Follina' and import reports to this group.

- Select the Import option under More.
- Select Fortinet_FortiSIEM_Follina_Reports_v1.xml and import.

2) Use Fortinet_FortiSIEM_Follina_Rules_v1.xml as the file to import the Rules.

- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Follina' and import the rules to this group.

- Select the Import.

- Select Fortinet_FortiSIEM_Follinat_Rules_v1.xml and import.

- Select the Import.

- Select Fortinet_FortiSIEM_Follina_Rules_v1.xml and import.
- Validate that these Rules are enabled.

FortiSIEM provides content packs for easy installation of these Rules and Reports:

FortiSIEM version 6.4.0:

 https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm#Content8

FortiSIEM version 6.5.0:

 https://help.fortinet.com/fsiem/6-5-0/Online-Help/HTML5_Help/content_updates.htm#Content2