Description |
This article describes how to use a custom Rules in FortiSIEM to raise alerts for incident response related to attacks that attempt to leverage the Follina Microsoft Office remote code execution vulnerability. |
Scope | The Rules and Reports help to detect attempts to execute remote code using an exploit MSDT (Microsoft Support Diagnostics Tool) based on logs from FortiGates. |
Solution |
The exploit leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the 'ms-msdt://' URI scheme to run the malicious payload.
For more information, check the FortiGuard outbreak alert.
What is included in Fortinet_FortiSIEM_Follina.zip?
- A FortiSIEM Rule to help with detection.
1) Use Fortinet_FortiSIEM_Follina_Reports_v1.xml as the file to import the Reports.
- Navigate to Resource / Reports.
2) Use Fortinet_FortiSIEM_Follina_Rules_v1.xml as the file to import the Rules.
- Select Fortinet_FortiSIEM_Follinat_Rules_v1.xml and import. - Select the Import. - Select Fortinet_FortiSIEM_Follina_Rules_v1.xml and import.
FortiSIEM version 6.4.0: https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm#Content8
https://help.fortinet.com/fsiem/6-5-0/Online-Help/HTML5_Help/content_updates.htm#Content2 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.