LoFP / false positives may be present. modify the query as needed to post, or add additional filtering (based on log source).

Techniques

• T1133
• T1190

Sample rules

Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.url IN ("*configWizard/keyUpload.jsp*")
  BY Web.http_user_agent, Web.status Web.http_method,
     Web.url, Web.url_length, Web.src,
     Web.dest, sourcetype

| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`