Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
keithli_FTNT
Staff
Staff

Created on ‎07-07-2021 07:14 PM Edited on ‎12-15-2021 08:15 AM By Anonymous

Article Id 195590

Technical Tip: How to use FortiAnalyzer to detect activities related to Microsoft's Printnightmare vulnerability

Description
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect activities related to Microsoft's Printnightmare vulnerability. This Windows Print Spooler remote code execution vulnerability is assigned CVE-2021-34527.

 
For more information on the threat, also see the FortiGuard Lab Threat Signal Report:

 

What is included in Fortinet_SOC-Printnightmare-Detection.zip?
 
1) Outbreak_Alerts_Service_PrintNightmare_Detection.json
This event handler helps identify indicators detected by FortiGate's and FortiClient's IPS and Endpoint Vulnerability signatures. Logs triggering the event handler are generated from FortiGate and FortiClient. Therefore, it is highly advisable to keep AV, IPS and Endpoint Vulnerability signatures up to date on applicable products such as FortiGate and FortiClient in order to prevent and log attacks to exploit the vulnerability.
 
Signatures are added, but not limited, to the following signature packages:
Endpoint Vuln Protection 1.250 - various Microsoft Updates for Windows
Endpoint Vuln Protection 1.251 - various Microsoft Updates for Windows
 
2) Outbreak_Alerts_Service_PrintNightmare_Report.dat
A report to summarize findings on activities related to the Printnightmare vulnerability, as detected by the IPS and endpoint vulnerability on FortiGate and FortiClient devices.
 
See the Solution section for instruction on how to load the event handler into a FortiAnalyzer unit.


Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.2, FortiAnalyzer 6.4 and FortiAnalyzer 7.0
Solution

All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-Printnightmare-Detection.zip file (contains 2 files)
2) Unzip Fortinet_SOC-Printnightmare-Detection.zip
3) Use Outbreak_Alerts_Service_PrintNightmare_Detection.json to import into Event Handlers
    a. Choose an ADOM (if ADOMs are enabled)
    b. Choose the FortiSOC module
    c. Select Event Handler List
    d. Select the Import option under "More"
    e. Select Outbreak_Alerts_Service_PrintNightmare_Detection.json

EventHandlerList-FortiDemo.png

Result:Outbreak_Alerts_Service_PrintNightmare_Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
 
4) Use Outbreak_Alerts_Service_PrintNightmare_Report.dat to import into Reports
  a. Choose a Fabric ADOM (if ADOMs are enabled)
  b. Choose the Report module
  c. Select the Import option under "More"
  d. Select Outbreak_Alerts_Service_PrintNightmare_Report.dat
ImportReport.png
 
Result: 'Outbreak_Alerts_Service_PrintNightmare_Report.dat' can be run anytime as determined by an admin user.

 

Fortinet_SOC-Printnightmare-Detection.zip
Labels:
1179
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.