Detectionmediumexperimental

FortiGate - New VPN SSL Web Portal Added

Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Marco Pedrinazzi (InTheCyber)Created Sat Nov 012bfb6216-0c31-4d20-8501-2629b29a3fa2network

Log Source

fortigateevent

Productfortigate← raw: fortigate

Serviceevent← raw: event

Detection Logic

detection:
    selection:
        action: 'Add'
        cfgpath: 'vpn.ssl.web.portal'
    condition: selection

False Positives

A VPN SSL Web Portal can be added for legitimate purposes.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0001 · Initial Access

Techniques

T1133 · External Remote Services

Rule Metadata

Rule ID

2bfb6216-0c31-4d20-8501-2629b29a3fa2

Status

experimental

Level

medium

Type

Detection

Created

Sat Nov 01

Author

Marco Pedrinazzi (InTheCyber)

Path

rules/network/fortinet/fortigate/fortinet_fortigate_new_vpn_ssl_web_portal.yml

Raw Tags

attack.persistenceattack.initial-accessattack.t1133

View on GitHub