Emerging Threatcriticaltest

Fortinet CVE-2018-13379 Exploitation

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Bhabesh RajCreated Tue Dec 08Updated Mon Jan 02a2e97350-4285-43f2-a63f-d0daff2917382018

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-uri-query|contains|all:
            - 'lang=/../../'
            - '/dev/cmdb/sslvpn_websession'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

devco.re

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2018-13379detection.emerging-threats

Rule Metadata

Rule ID

a2e97350-4285-43f2-a63f-d0daff291738

Status

test

Level

critical

Type

Emerging Threat

Created

Tue Dec 08

Modified

Mon Jan 02

Author

Bhabesh Raj

Path

rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml

Raw Tags

attack.initial-accessattack.t1190cve.2018-13379detection.emerging-threats

View on GitHub