Technical Tip: Using FortiSIEM to detect Win32k.sys driver exploit | CVE-2022-21882
- February 15, 2022
- 0 replies
- 603 views
| Description | This article describes how to use a custom Rules and Reports in FortiSIEM to raise alerts for incident response related to attacks that attempt to exploit a vulnerability in the Win32k.sys driver. |
| Scope | These Rules and Reports help to detect attempts to gain privilege escalation through an exploit of the Win32k.sys driver based on logs from FortiGates, FortiClients, and FortiProxy.
The custom Rules and Reports provided can be used in FortiSIEM 6.x.
What is included in: Fortinet_FortiSIEM_Win32k_Privilege_Escalation.zip?
1) Fortinet_FortiSIEM_Win32k_Rules_v1.xml These Rules help identify attacks that attempt to exploit a the vulnerability and are detected by FortiGate, FortiClient and FortiSandbox logs.
2) Fortinet_FortiSIEM_Win32k_Report_v1.xml This report displays attacks that attempt to exploit a the vulnerability and are detected by FortiGate, FortiClient and FortiSandbox logs. |
| Solution | The exploit allows a locally authenticated attacker to gain elevated local system or administrator privileges.
This vulnerability is assigned CVE-2022-21882.
1) Download the Fortinet_FortiSIEM_Win32k_Privilege_Escalation.zip(contains 2 file).
2) Unzip Fortinet_FortiSIEM_Win32k_Privilege_Escalation.zip
3) Use Fortinet_FortiSIEM_Win32k_Report_v1.xml as the file to import the Reports.
4) Use Fortinet_FortiSIEM_Win32k_Rules_v1.xml as the file to import the Rules.
https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm |