This article describes how to use a custom event handler in FortiAnalyzer to raise alerts for incident response related to attacks that attempt to leverage the Microsoft Driver RCE vulnerability - CVE-2022-26809.
A report is also included to analyze past logs for transpired attacks.
This FortiAnalyzer event handler and report will help to detect attempts to send a specially crafted RPC call to an RPC host in an attempt to execute code on the server-side.
Event handler and report are generated based on logs from FortiGate, FortiClient and FortiProxy.
Use the latest IPS and Endpoint Vulnerability packages for detection on FortiGate, FortiClient and FortiProxy.
For information about this attack, see the following FortiGuard Outbreak Alert:
What is included in Fortinet_Windows_RPC_RCE_Vulnerability.zip?
1) Microsoft Windows RPC RCE Vulnerability_event-handler.json .
This event handler helps identify attacks detected by FortiGate, FortiClient, and FortiProxy logs.
2) Microsoft Windows RPC RCE Vulnerability_report.dat.
This report displays the findings on Remote Code Execution attacks from FortiGates, FortiClient, and FortiProxy logs.
3) fgt_Microsoft Windows RPC RCE Vulnerability_event-handler.json.
The event handler for FortiGate ADOMs is configured for FortiGate logs only.
4) fgt_Microsoft Windows RPC RCE Vulnerability_report.dat.
The report for FortiGate ADOMs includes FortiGate charts only.
All screenshots provided below for illustration purposes are taken from FortiAnalyzer 7.0.3.
1) Download the Fortinet_Windows_RPC_RCE_Vulnerability.zip file (contains 4 files).
2) Unzip Fortinet_Windows_RPC_RCE_Vulnerability.zip.
3) Import Microsoft Windows RPC RCE Vulnerability_event-handler.json or fgt_Microsoft Windows RPC RCE Vulnerability_event-handler.json event handler:
- Choose an ADOM (if ADOMs are enabled). The ADOM may be of type Fabric or FortiGate:
- Choose the FortiSOC module.
- Select Event Handler List.
- Select the Import option under More.
- Select the appropriate event handler depending on the ADOM type.
The event handler is enabled and will be triggered if the appropriate logs are received following the import of the event handler.
Edit the event handler to customize the notification section.
4) Import Microsoft Windows RPC RCE Vulnerability_report.dat or fgt_Microsoft Windows RPC RCE Vulnerability_report.dat to Reports:
- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate.
- Select the appropriate file for the ADOM type to add the report to the ADOM.
The Microsoft Windows RPC RCE Vulnerability_report can be run anytime as determined by an admin user.