Detectionmediumexperimental

FortiGate - VPN SSL Settings Modified

Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Marco Pedrinazzi (InTheCyber)Created Sat Nov 018b5dacf2-aeb7-459d-b133-678eb696d410network

Log Source

fortigateevent

Productfortigate← raw: fortigate

Serviceevent← raw: event

Detection Logic

detection:
    selection:
        action: 'Edit'
        cfgpath: 'vpn.ssl.settings'
    condition: selection

False Positives

VPN SSL settings can be changed for legitimate purposes.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0001 · Initial Access

Techniques

T1133 · External Remote Services

Rule Metadata

Rule ID

8b5dacf2-aeb7-459d-b133-678eb696d410

Status

experimental

Level

medium

Type

Detection

Created

Sat Nov 01

Author

Marco Pedrinazzi (InTheCyber)

Path

rules/network/fortinet/fortigate/fortinet_fortigate_vpn_ssl_settings_modified.yml

Raw Tags

attack.persistenceattack.initial-accessattack.t1133

View on GitHub