DescriptionThis
article describes how to use a custom Rules and Reports in
FortiSIEM to detect activities related to Microsoft's Printnightmare
vulnerability. This Windows Print Spooler remote code execution vulnerability is assigned CVE-2021-34527.
For more information on the threat, also see the FortiGuard Lab Threat Signal Report:
This FortiSIEM Reports and Rules help identify indicators detected by FortiGate's and FortiClient's IPS and Endpoint Vulnerability signatures. Logs triggering the event handler are generated from FortiGate and FortiClient. Therefore, it is highly advisable to keep AV, IPS and Endpoint Vulnerability signatures up to date on applicable products such as FortiGate and FortiClient in order to prevent and log attacks to exploit the vulnerability.
Signatures are added, but not limited, to the following signature packages:
What is included in Fortinet_FortiSIEM_SOC-Printnightmare-Detection.zip?
1. Printnightmare-Reports_v1.xml
The reports can be ran on historical data looking for indicators associated with Printnightmare.
2. Printnightmare-Rules_v1.xml
The Rules will detect indicators associated with Printnightmare in real time.
See the Solution section for instruction on how to load these into a FortiSIEM
ScopeThe custom Rules and Reports can be loaded into FortiSIEM 6.x versions.SolutionAll screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM_SOC-Printnightmare-Detection.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM_SOC-Printnightmare-Detection.zip
3. Use Printnightmare_Report_v1.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “Printnightmare Attack” and reports are imported to this group.
d. Select the Import option under "More"
e. Select Printnightmare_Report_v1.xml and import.
4. Use Printnightmare_Rules_v1.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “Printnightmare Attack” and rules are imported to this group.
d. Click the Import
e. Select Printnightmare_Rules_v1.xml and import.
f. Filter the rules on Printnightmare and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports