Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
keithli_FTNT
Staff
Staff

Created on ‎05-11-2021 05:17 PM

Article Id 198525

Technical Tip: How to use FortiAnalyzer to detect activities related the DarkSide Ransomware

Description
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities that may be related to the DarkSide Ransomware.

For more information on the threat, see the FortiGuard Lab Threat Signal Report:

What is included in Fortinet_SOC-DarkSide-Detection.zip?

1) Outbreak_Alerts_Service_DarkSide_Detection_2.json
This event handler helps identify exploits detected by FortiGate, FortiClient and FortiSandbox. Therefore, these systems must be configured properly to block and log the events. The following table summarizes the products and the detection methods.

FortiGateIPS: Detects and block intrusions.
  • Backdoor trojans have the capability to connect to remote hosts and perform actions against the compromised system
AV: Detects and blocks malware file transfers
  • Malware that prevents or restricts the infected user from accessing their system, usually by locking the screen or encrypting the user's files. It then demands payment, usually in the form of cryptocurrency, in order for the system or files to be accessible again.
  • Malware has the capability to propagate by attaching its code to other programs or files
Botnet C&C: Detects and blocks traffic to known C&C domains
DNS Filter: Detects and blocks DNS traffic to known malicious domains associated with this attack
FortiClientAV: FortiGuard AV real-time protection blocks ransomware file 
Botnet C&C: Detects and blocks traffic to known C&C domains
FortiSandboxDetects file hashes detected in FortiSandbox logs


2) Outbreak_Alerts_Service_DarkSide_Report_2.dat
A report to summarize findings on attack attempts, as detected by FortiGate, FortiClient and FortiSandbox. Please refer to the detection methods in the above table.

See the Solution section for instruction on how to load the event handler into a FortiAnalyzer unit.

Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+

Solution

All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.

1) Download the Fortinet_SOC-DarkSide-Detection.zip file (contains 2 files)
2) Unzip Fortinet_SOC-DarkSide-Detection.zip
3) Use Outbreak_Alerts_Service_DarkSide_Detection_2.json to import into Event Handlers
    a. Choose an ADOM (if ADOMs are enabled)
    b. Choose the FortiSOC module
    c. Select Event Handler List
    d. Select the Import option under "More"
    e. Select Outbreak_Alerts_Service_DarkSide_Detection_2.json

EventHandlerList-FortiDemo.png

Result: Outbreak_Alerts_Service_DarkSide_Detection_2.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported

4) Use Outbreak_Alerts_Service_DarkSide_Report_2.dat to import into Reports
    a. Choose a Fabric ADOM (if ADOMs are enabled)
    b. Choose the Report module
    c. Select the Import option under "More"
    d. Select Outbreak_Alerts_Service_DarkSide_Report_2.dat

ImportReport.png

Result: 'Outbreak_Alerts_Service_DarkSide_Report_2' can be run anytime as determined by an admin user.


Fortinet_SOC-DarkSide-Detection.zip
2772
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.