LoFP / get requests will be noisy and need to be filtered out or removed from the query based on volume. restrict analytic to known publicly facing fortigates, or run analytic as a hunt until properly tuned. it is also possible the user agent may be filtered on report runner or node.js only for the exploit, however, it is unknown at this if other user agents may be used.

Techniques

• T1133
• T1190

Sample rules

Fortinet Appliance Auth bypass

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.

Detection logic

| tstats `security_content_summariesonly`
         count min(_time) as firstTime
               max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url = "*/api/v2/cmdb/system/admin*"
Web.http_method IN ("GET", "PUT")
BY Web.http_user_agent
   Web.http_method Web.url
   Web.url_length
   Web.src Web.dest

| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `fortinet_appliance_auth_bypass_filter`