Name:Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 id:2038f5c6-5aba-4221-8ae2-ca76e2ca8b97 version:3 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. Data_source:
-Palo Alto Network Threat
search:| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`
how_to_implement:This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. known_false_positives:False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). References: -https://github.com/horizon3ai/CVE-2022-39952 -https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ -https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Fortinet FortiNAC CVE-2022-39952' asset_type:Network confidence:80 cve: - 'CVE-2022-39952' impact:80 message:Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$. mitre_attack_id: - 'T1190' - 'T1133' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'Web.http_user_agent' - 'Web.http_method' - 'Web.url' - 'Web.url_length' - 'Web.src' - 'Web.dest' - 'sourcetype' risk_score:64 security_domain:network
