This article describes how to use a custom Rules and Reports to detect activities related to the Emotet malware, which has been detected in spam campaigns recently.
What is included in Fortinet_FortiSIEM-Emotet-Malware-Detection.zip?
1. FortiSIEM_Emotet_Rules.xml
These Rules help identify exploit attempts detected by FortiGate's AV, IPS, and App Control detection. It also relies on FortiClient’s AV, Vulnerability, and web filter detection, and on FortiSandbox detection. Logs triggering the Rules are generated from FortiGate, FortiClient, and FortiSandbox. It is, therefore, essential that the corresponding AV signatures in each of these is kept up-to-date to prevent and log the exploits.
2. FortiSIEM_Emotet_Reports.xml
These Reports can be run on a schedule or on-demand and help identify exploit attempts detected by FortiGate's AV, IPS, and App Control detection. It also relies on FortiClient’s AV, Vulnerability, and web filter detection, and on FortiSandbox detection. Logs within the Reports are generated from FortiGate, FortiClient, and FortiSandbox. It is, therefore, essential that the corresponding AV signatures in each of these is kept up-to-date to prevent and log the exploits. The reports also look for defined and specific file hashes that have been seen to be related to Emotet.
The custom Rules and Reports provided can be used in FortiSIEM 6.2+.
All screenshots provided below for illustration purposes are taken from FortiSIEM 6.3.2.
1. Download the Fortinet_FortiSIEM-Emotet-Malware-Detection.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-Emotet-Malware-Detection.zip
3. Use FortiSIEM_Emotet_Reports.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended to create a new group under Resource / Reports / Security called “Emotet Attack” and import reports to this group.
d. Select the Import option under More.
e. Select FortiSIEM_Emotet_Reports.xml and import.
4. Use FortiSIEM_Emotet_Rules.xml as the file to import the Rules
a. Navigate to Resource / Rules
b. It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called “Emotet Attack” and import the rules to this group.
d. Click the Import
e. Select FortiSIEM_Emotet_Rules.xml and import.
f. Filter the rules on Emotet and ensure it is enabled.
Imported and enabled Rules
Imported Reports
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.