Microsoft Windows RPC RCE Vulnerability
WannaCry about it later or patch it now?
msrc.microsoft/update-guide/en-US/vulnerability/CVE-2022-26809
CVEs: CVE-2022-26809
This vulnerability is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system.
Background This vulnerability uses the SMB port - that means if someone were to exploit it and weponize it with ransomware,
then it could become as dangerous as WannaCry.
Announced April 12, 2022:
msrc.microsoft/update-guide/en-US/vulnerability/CVE-2022-26809
Latest Developments April 13, 2022: Fortinet has coverage in both Network IPS and Endpoint Vulnerability detection for this
vulnerability. See below for more details on the product mapping. At this time, Microsft claims there are no known
exploits in the wild.
Cyber Kill Chain
FortiDeceptor
Decoy VM  V3.3+
FortiDeceptor decoys can detect activities
related to The Microsoft Driver RCE vulnerability
- CVE-2022-26809
FortiClient
Vulnerability  1.305
Detect & respond to endpoints vulnerable to the
Microsoft RPC-RCE Vulnerability (CVE-2022-
26809)
FortiGate
IPS  20.297
Detect activities on exploitation of Microsoft
RPC-RCE vulnerability (CVE-2022-26809).FortiSASE IPS  20.297Detect activities on exploitation of Microsoft RPC-RCE vulnerability (CVE-2022-26809).
FortiNDR
IPS  20.297
Detect activities on exploitation of Microsoft
RPC-RCE vulnerability (CVE-2022-26809).FortiADC IPS  20.297Detect activities on exploitation of Microsoft RPC-RCE vulnerability (CVE-2022-26809).
FortiProxy
IPS  20.297
Detect activities on exploitation of Microsoft
RPC-RCE vulnerability (CVE-2022-26809).
FortiEDR
Post-Execution  3.0+
Detects & blocks post-weaponization activities
(shellcode etc.) related to CVE-2022-26809.
Incident Response (Security Operations)
To help customers identify and protect vulnerable, FortiAnalyzer, FortiSIEM and FortiSOAR updates are available to raise alerts and escalate to incident response:
FortiAnalyzer Outbreak Detection  Version 1.00053
www.fortiguard/updates/outbreak-detection-service?version=1.00053
Threat Hunting  Version 7.0+
community.fortinet/t5/FortiAnalyzer/Technical-Tip-Using-FortiAnalyzer-to-detect-the-Microsoft-Driver/ta-
p/209468
FortiSIEM Threat Hunting  Version 6.2+
spring framework rce漏洞复现community.fortinet/t5/FortiSIEM/Technical-Tip-Using-FortiSIEM-to-detect-Spring4Shell/ta-p/208386?
emcs_t=S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufEwyNVZOUUlPVVVPUFk3fDIwODM4NnxTVUJTQ1JJUFRJT0
5TfGhL
Additional Resources
Microsoft Announcement
msrc.microsoft/update-guide/en-US/vulnerability/CVE-2022-26809CISA Re-post v/uscert/ncas/current-activity/2022/04/13/microsoft-releases-advisory-address-critical-remote-code-
execution
FortiGuard Threat Signal
www.fortiguard/threat-signal-report/4502National Vulnerability DB v/vuln/detail/CVE-2022-26809
Reconnaissance Weaponization
Delivery Exploitation Installation C2
Action
Endpoint

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。