Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

FortiGate - New Administrator Account Created

Detects the creation of an administrator account on a Fortinet FortiGate Firewall.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Marco Pedrinazzi (InTheCyber)Created Sat Nov 01cd0a4943-0edd-42cf-b50c-06f77a10d4c1network
Log Source
fortigateevent
Productfortigate← raw: fortigate
Serviceevent← raw: event
Detection Logic
Detection Logic1 selector
detection:
    selection:
        action: 'Add'
        cfgpath: 'system.admin'
    condition: selection
False Positives

An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.

References
1
Resolving title…
fortiguard.com
2
Resolving title…
docs.fortinet.com
3
Resolving title…
docs.fortinet.com
4
Resolving title…
docs.fortinet.com
MITRE ATT&CK
Rule Metadata
Rule ID
cd0a4943-0edd-42cf-b50c-06f77a10d4c1
Status
experimental
Level
medium
Type
Detection
Created
Sat Nov 01
Author
Marco Pedrinazzi (InTheCyber)
Path
rules/network/fortinet/fortigate/fortinet_fortigate_new_admin_account_created.yml
Raw Tags
attack.persistenceattack.t1136.001
View on GitHub