KQL Search

// Detecting BrazenBamboo's FortiClient Exploit: A KQL Approach

// Volexity has identified and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory post-authentication. This flaw has been exploited by the threat actor BrazenBamboo through their DEEPDATA malware. BrazenBamboo is also known for the LIGHTSPY malware family. Volexity reported this vulnerability to Fortinet on July 18, 2024, and it was acknowledged on July 24, 2024. However, as of November 15, 2024, the issue remains unresolved, and no CVE number has been assigned.
// The SHA1 file hash of the FortiClient VPN client indicates that nearly 22.8K organizations using Microsoft Defender for Endpoint (MDE) are at risk, highlighting a significant attack surface. To assist defenders, I have included the Volexity blog with comprehensive Indicators of Compromise (IOCs) in the comment section, enabling them to update their monitoring tools for potential BrazenBamboo threat activity. Additionally, I have developed a KQL detection for the DEEPDATA loader.

// https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

let EndpointWithFortiClient =
DeviceTvmSoftwareInventory
| where SoftwareName has "forticlient"
| distinct DeviceId;
let NewCreatedLowPrevalenceDLL =
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".dll"
| invoke FileProfile(SHA1,10000)
| where GlobalPrevalence <= 50
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| where SignatureState == "Unsigned"
| distinct FileName;
DeviceEvents
| where ActionType == @"DriverLoad"
| where FileName endswith ".dll"
| where FileName has_any(NewCreatedLowPrevalenceDLL)
| where DeviceId has_any(EndpointWithFortiClient)