Fortigate SSL VPN Login Followed by SIEM Alert
Detection of initial access via Fortigate SSL VPN login, followed by a SIEM alert, indicating potential malicious activity post-VPN access.
This brief focuses on detecting potential malicious activity following a successful Fortigate SSL VPN login. The alert is triggered when a user successfully logs in to the Fortigate SSL VPN and is subsequently flagged by a SIEM system, indicating suspicious or anomalous behavior after gaining network access. This could signify a compromised account being used for malicious purposes or an attacker leveraging VPN access for lateral movement and data exfiltration. Defenders should investigate these alerts promptly to identify and contain potential breaches. The detection is based on observing VPN logins in conjunction with other security alerts generated by the SIEM.
Attack Chain
- Attacker gains credentials through phishing or credential stuffing (Hypothetical).
- Attacker successfully authenticates to the Fortigate SSL VPN using the compromised credentials.
- Initial access to the internal network is established via the VPN tunnel.
- Attacker performs reconnaissance activities, such as network scanning and enumeration, potentially using tools like Nmap or Bloodhound.
- Malicious activity triggers a SIEM alert (e.g., unusual file access, suspicious process creation, or lateral movement).
- The attacker attempts to escalate privileges on compromised systems using exploits or credential dumping tools like Mimikatz (Hypothetical).
- Attacker moves laterally within the network to gain access to sensitive data or critical systems.
- Data exfiltration is initiated using tools like rclone or scp (Hypothetical), or ransomware is deployed.
Impact
A successful attack following a Fortigate SSL VPN login can lead to significant consequences, including data breaches, financial losses, and reputational damage. By compromising a VPN account, attackers can bypass network perimeter security and gain access to sensitive internal resources. The impact can range from unauthorized access to sensitive data to the complete disruption of business operations through ransomware deployment. Targeted sectors could include any organization relying on Fortigate SSL VPN for remote access.
Detection coverage 2
Fortigate SSL VPN Login Followed by Unusual Process Creation
mediumDetects process creation events following a Fortigate SSL VPN login, indicating potential malicious activity.
Fortigate SSL VPN Login Followed by Network Scan
mediumDetects network scanning activity originating from a host shortly after a Fortigate SSL VPN login.
Detection queries are available on the platform. Get full rules →