DescriptionThis article describes how to use a custom Event Handler and Report in
FortiAnalyzer to detect activities that may be related to Microsoft
Exchange vulnerabilities exploited by HAFNIUM.
For more information on the vulnerabilities being exploited, see
the FortiGuard Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of Microsoft
Exchange Server
What is included in
Fortinet_SOC-MS-Exchange-Attack-Detection-v3.zip?
1) Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json
This event handler helps identify exploits on MS.Exchange server
vulnerabilities detected by IPS (CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858, and CVE-2021-27065). In additional, it also alerts on data exfiltration attempts detected by FortiGate's AV signatures.
Logs triggering the event handler are generated from
FortiGate. Therefore FortiGate must be configured properly to block the
exploit and prevent data exfiltration in order to generate the logs.
For
the FortiGate to block the exploit when deployed in front of Exchange
server, IPS signature must be updated to 18.030 or above.
For
the FortiGate to block hashes identified by Microsoft to prevent data
exfiltration, AntiVirus signature must be updated 84.00475 or above.
2) Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3.dat
A report to summarize findings on attack attempts to exploit MS.Exchange server vulnerabilities, as detected by AV & IPS on FortiGate devices.
See the Solution section for instruction on how to load the event handler into
a FortiAnalyzer unit.
ScopeThe custom Event Handler provided can be used in FortiAnalyzer 6.4+.
SolutionAll screen shots provided below for illustration purposes are taken
from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-MS-Exchange-Attack-Detection-v3.zip file
(contains 2 files)
2. Unzip Fortinet_SOC-MS-Exchange-Attack-Detection-v3.zip
3) Use Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json to
import into Event Handlers a. Choose an ADOM (if ADOMs are enabled) b. Choose the FortiSOC module c. Select Event Handler List d. Select the Import option under "More" e. Select Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json
Result: Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Detection-v3.json is
enabled and will be triggered if the appropriate logs are received
after the event handler was imported
4) Use Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3.dat
Result: 'Outbreak_Alert_Service_Hafnium-MS.Exchange-Attack_Report-v3' can be run anytime as determined by an admin user.
Related Articles
Technical Tip: How to use FortiSIEM to detect activities related Microsoft Exchange vulnerabilities ...