|
The exploit leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the 'ms-msdt://' URI scheme to run the malicious payload.
For more information, check the FortiGuard outbreak alert.
What is included in Fortinet_FortiSIEM_Follina.zip?
- A FortiSIEM Rule to help with detection.
- A FortiSIEM Report to help with historical reporting.
1) Use Fortinet_FortiSIEM_Follina_Reports_v1.xml as the file to import the Reports.
- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Follina' and import reports to this group.
- Select the Import option under More.
- Select Fortinet_FortiSIEM_Follina_Reports_v1.xml and import.
2) Use Fortinet_FortiSIEM_Follina_Rules_v1.xml as the file to import the Rules.
- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Follina' and import the rules to this group.
- Select the Import.
- Select Fortinet_FortiSIEM_Follinat_Rules_v1.xml and import.
- Select the Import.
- Select Fortinet_FortiSIEM_Follina_Rules_v1.xml and import.
- Validate that these Rules are enabled.
FortiSIEM provides content packs for easy installation of these Rules and Reports:
FortiSIEM version 6.4.0:
https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm#Content8
FortiSIEM version 6.5.0:
https://help.fortinet.com/fsiem/6-5-0/Online-Help/HTML5_Help/content_updates.htm#Content2
|
