FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
mrobson
Staff
Staff
Article Id 210312

Introduction

This article describes FortiEDR delivers real-time visibility, analysis, protection and remediation for endpoints. It proactively reduces the endpoint attack surface, prevents malware infection, detects and defuses potential threats in real-time, and can automate response and remediation procedures with customizable playbooks. FortiEDR helps organizations identify and stop breaches in real-time automatically and efficiently, without overwhelming security teams with a slew of false alarms or disrupting business operations.

 

The FortiEDR endpoint agent, called a collector, monitors behaviour on an endpoint identifying anomalous, suspicious and malicious activity. On identification of such activity, the FortiEDR collector blocks the behaviour on the endpoint. Following this identification, key telemetry related to the activity is forwarded to Fortinet Cloud Services (FCS) for verification and enrichment. As part of this enrichment, collector telemetry is analyzed through Machine Learning, executables are analyzed in numerous online sandboxes (including FortiSandbox) and indicators are enriched through integrations with FortiGuard Threat Intelligence feeds. This article provides an overview of how these features provide protection against post-exploitation activity even activity linked to zero-day vulnerabilities that can provide adversary access to an endpoint.

 

Behaviour Detections mitigate unknown threats

 

FortiEDR detections are based on detecting anomalous behaviour rather than solely relying on malicious indicators such as known bad signature lists (like a traditional AV product). As a result, it has consistently demonstrated its ability to detect malicious post-exploitation behaviour associated with recent ‘zero day’ attacks targeting previously unknown vulnerabilities and is consistently effective at identifying previously unseen malware samples.

For example, for the well-known vulnerability PrintNightmare (CVE-2021-34527), FortiEDR detected and stopped the exploit's execution under the 'Privilege Escalation Exploit Detected' rule. Figure 1 shows this behaviour as it appears the following detection through FortiEDR:

 

mrobson_0-1650870049864.png

Figure 1. FortiEDR Privilege Escalation Detected event generated as a result of detected PrintNightmare exploitation

 

As another example, FortiEDR detects and blocks behaviour associated with the exploitation of the Microsoft Exchange vulnerability ProxyShell. This exploitation was detected and blocked out of the box (OOTB). This capability protected FortiEDR customers across the globe and was used on numerous FortiGuard Responder Incident Response engagements to assist with containment and remediation of ProxyShell based compromises. Figure 2 below shows the detection of the w3wp.exe process attempting to execute a malicious executable (dynamically created dll), this behaviour is associated with ProxyShell post-exploitation activity.

 

mrobson_1-1650870049871.png

Figure 2. An attempted execution of a dll (webshell) created as part of ProxyShell exploitation was detected and blocked by FortiEDR

 

Another example shown below demonstrates how FortiEDR’s behaviour based detections allow for the detection of the BottleEK exploit kit. BottleEK redirects users to a landing page through a malvertising website. It then runs the javascript code to check if the user's environment is Japanese, the browser is Internet Explorer, and the version is vulnerable. FortiEDR blocks the execution of ajax.min.js, which runs the initial javascript code. In the event graph below, iexplore.exe spawns wscript.exe to run ajax.min.js that gets blocked by FortiEDR as 'Suspicious script execution'.

 

mrobson_2-1650870049876.png

Figure 3. Suspicious script execution detected and blocked during a BottleEK exploitation attempt

 

FCS Machine learning classification

FortiEDR uses a machine-learning antivirus engine to stop malware pre-execution. This configurable cross-OS NGAV capability comes built into the single, lightweight agent, allowing users to assign anti-malware protection to any endpoint group without requiring additional installation.

 

Machine learning components that form part of Fortinet Cloud Services (FCS) can identify and flag unknown executables identified by collectors as malicious, or as PUPs (Potentially Unwanted Program) based on features they contain. An example of this classification for an unknown file can be seen in Figure 4 below which shows positive detection of a modified CVE-2021-41379 POC executable. This classification as PUP would have prevented the sample from executing and effectively accessing credentials if FortiEDR was in protect mode.

 

mrobson_3-1650870049878.png

Figure 4. 'Automated Analysis' section of a FortiEDR event related to the detection of a CVE-2021-41379 POC showing file classification by FCS machine learning.

 

FCS Automated Analysis data is displayed through the FortiEDR interface, describing why the file was initially flagged as a PUP, then as malicious. This file is a POC for CVE-2021-41379.

To demonstrate how FortiEDR also detects against files with an unknown hash, some random characters to a HermeticWiper sample file were appended and re-executed. In this detection that the hash has changed and does not match a known signature. Regardless of this, FortiEDR still flags this file as suspicious as it is assessed as having a high likelihood of being malicious by the Fortinet Cloud Services machine learning engine. This allows FortiEDR to detect new versions of malware variants without known signatures for an unknown malware sample. This assessment can be seen below in Figure 5.

 

mrobson_4-1650870049880.png

Figure 5. FortiEDR detecting a version of HermeticWiper with an unknown file hash. FortiEDR identified the file as suspicious and this assessment is then validated through the sandbox and ML analysis.

 

In another case, a .NET binary was identified as malicious despite being unknown i.e. hashes and filenames were not flagged as malicious amongst FortiGuard Labs threat intel sources or in VirusTotal. In this case, the files were assessed as malicious on file read and were flagged by FortiEDR’s ‘Execution Prevention Policy’ as an ‘Unconfirmed Executable’. This can be seen in events 7 and 9 in Figure 6 below. Executables classified as unconfirmed contain additional fields not used by the operating system that is often present in malware to complicate execution and reduce the effectiveness of automated analysis.

 

mrobson_5-1650870049888.png

Figure 6. Event graph associated with ‘Unconfirmed Executable’ events related to an unknown but malicious executable.

 

Sandbox detection

In addition to the FCS machine learning classification, unknown executable files are automatically executed on the FCS integrated FortiSandbox. For the example shown below in Figure 7 FCS sandbox analysis gets completed, and the sample was correctly identified as exploiting CVE-2021-41379 and was reclassified as malicious. The reclassification can be observed at the top left of Figure 4, and the correct identification can be observed in Figure 7 below, which shows the FCS sandbox assessment of the sample. This reclassification would have triggered any playbooks configured in a FortiEDR environment to act on a malicious file event, which could result in the file being quarantined, the affected endpoint being isolated, or the file being deleted. This allows the end-user to automate the cleanup of malicious files like this.

 

mrobson_6-1650870049890.png

Figure 7. FCS sandbox classification successfully identified and classified indicators of the CVE-2021-41379 exploit.

 

Post Exploitation

If an exploit is able to execute on a protected system FortiEDR’s advanced real-time detection can also identify malicious payloads that are dynamically loaded by the system processes. For example, in a POC for the PrintNightmare (CVE-2021-34527) vulnerability, the exploit loads a malicious dll file into the spool service. As shown in Figure 8 below, FortiEDR detects the loading of a malicious file and blocks the dll from executing, thereby protecting the endpoint from such an exploit.

 

mrobson_7-1650870049891.png

Figure 8. Malicious dll load detected associated with the exploitation of the PrintNightmare vulnerability.

 

Let’s see one more example related to the exploitation of a Microsoft Equation editor vulnerability (CVE-2017-11882). FortiEDR's advanced real-time detection identifies when the malicious .rtf document is opened, the vulnerability CVE-2017-11882 is exploited to download a malicious payload from the Internet Explorer process. This post-exploitation activity is detected and blocked by FortiEDR as shown in Figure 9 below.

 

mrobson_8-1650870049896.png

Figure 9. Malicious payload injected into an iexplore.exe process following successful exploitation of the CVE-2017-11882 is detected and blocked by FortiEDR.

 

Exfiltration Prevention

Even in the cases where some malware/exploit/malicious code is able to execute in a protected environment, the FortiEDR collector blocks the events where malware is trying to steal credentials or trying to exfiltrate critical information. There are multiple rules in the Exfiltration Prevention Policy triggered in such scenarios. For example, in the case of the Darkside ransomware attack, the ransomware executable attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This action is blocked by FortiEDR’s “Access to Critical System Information” rule under the Exfiltration Prevention policy as shown in the events seen in Figure 10 below.

 

mrobson_9-1650870049902.png

Figure 10. Credential access by DarkSide ransomware blocked by FortiEDR

 

In another example, FortiEDR detects and blocks command and control behaviour associated with the execution of a Qakbot implant. The example is shown below in Figure 11 and depicts FortiEDR events related to blocking the exfiltration of data collected by the Qakbot sample on infection of a targeted endpoint. The Qakbot executable attempts to connect to its C2 servers for exfiltration of discovery data and request malware updates/command instructions. But when Qakbot tries to connect to its C2 servers, these attempts are detected and blocked by the FortiEDR.

 

mrobson_10-1650870049912.png

Figure 11. FortiEDR detects C2 connection attempts to block exfiltration.

 

Conclusion

As outlined in this article FortiEDR Machine Learning and behaviour based detections rules block and detect both unknown executables and suspicious behaviour. This allows FortiEDR to provide effective protection from a post-exploitation activity even if the activity is conducted as a result of the exploitation of zero-day vulnerabilities. This approach to defending endpoints has protected FortiEDR customers from post-exploitation associated with the Kaseya zero-days, ProxyLogon, ProxyShell, log4shell, PrintNightmare and many others without modification to the FortiEDR collector and will continue to stop future attacks.

 

Contributors