false positives may be present. modify the query as needed to post, or add additional filtering (based on log source).

t1133
t1190
network
splunk

Techniques

T1133
T1190

Sample rules

Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952

source: splunk
technicques:
- T1190
- T1133

Description

The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2.

Detection logic


| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`