DescriptionThis article describes how to use custom Rules and Reports to
detect activities that may be related to Microsoft Exchange
vulnerabilities exploited by HAFNIUM.
For more information on the vulnerabilities being exploited, see
the FortiGuard Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of Microsoft
Exchange Server
What is included in
Fortinet_FortiSIEM-MS-Exchange-Attack-Detection.zip?
1) HAFNIUM_Report_v1.xml
The reports can be ran on historical data looking for indicators
targeting the vulnerability.
The Reports “HAFNIUM Infected File Detected by FortiGate” and
“HAFNIUM FortiGate IPS Signature Match” identify exploits on
MS.Exchange server vulnerabilities detected by IPS (CVE-2021-26855,
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
2) HAFNIUM_Rule_v1.xml
The Rules will detect indicators targeting the vulnerability in
real time.
The Rules “HAFNIUM FortiGate Permitted IPS Event” and “HAFNIUM
Infected File Detected by FortiGate” identify exploits on
MS.Exchange server vulnerabilities detected by IPS (CVE-2021-26855,
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
See the Solution section for instruction on how to load these
into a FortiSIEM
Scope
SolutionAll screen shots provided below for illustration purposes are taken
from FortiSIEM 6.x
1) Download the Fortinet_FortiSIEM-MS-Exchange-Attack-Detection.zip
file (contains 2 file)
2) Unzip Fortinet_FortiSIEM-MS-Exchange-Attack-Detection.zip
3) Use HAFNIUM_Report_v1.xml as the file to import the
Reports a. Navigate to Resource / Reports b. It is recommended that a new group under Resource / Reports /
Security is created called “HAFNIUM Attack” and reports are
imported to this group. c. Select the Import option under "More" d. Select HAFNIUM_Report_v1.xml and import.
4) Use HAFNIUM_Rule_v1.xml as the file to import the Rules a. Navigate to Resource / rules b. It is recommended that a new group under Resource / Rules /
Security / Threat Hunting is created called “HAFNIUM Attack” and
rules are imported to this group. c. Click the Import d. Select HAFNIUM_Rules_v1.xml and import. e. Filter the rules on HAFNIUM and ensure that they are
Enabled.Imported and enabled Rules
Imported ReportsRelated Articles
Technical Tip: How to use FortiAnalyzer to detect activities related Microsoft Exchange vulnerabilit...