Technical Tip: Using FortiSIEM to detect the Microsoft Windows RPC RCE vulnerability | CVE-2022-26809

This article describes how to use custom rules in FortiSIEM to raise alerts for incident response related to attacks that attempt to leverage the Microsoft Driver RCE vulnerability - CVE-2022-26809.

Reports are also included to analyze past logs for transpired attacks.

These FortiSIEM rules and reports will help to detect attempts to send a specially crafted RPC call to an RPC host in an attempt to execute code on the server-side.

The rule and report are generated based on logs from FortiGate, FortiClient and FortiProxy.

Use the latest IPS and Endpoint Vulnerability packages for detection on FortiGate, FortiClient and FortiProxy.

For information about this attack, see the following FortiGuard Outbreak Alert:

Microsoft Windows RPC RCE Vulnerability

What is included in Fortinet_FortiSIEM_RPC_RCE_Vulnerability.zip?

- A FortiSIEM Rule to help with detection.
- A FortiSIEM Report to help with historical reporting.

- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Windows RPC RCE' and import reports to this group.

- Select the Import option under More.
- Select Fortinet_FortiSIEM_Windows_RPC_RCE_Report_v1.xml and import.

4) Use Fortinet_FortiSIEM_Windows_RPC_RCE_Rules_v1.xml as the file to import the Rules.

- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Windows RPC RCE Rules' and import the rules to this group.

- Select the Import.

- Select Fortinet_FortiSIEM_Windows_RPC_RCE_v1.xml and import.
- Filter the rules for those defined in content pack 106 and ensure it is enabled.

https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm