Techniques
Sample rules
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`