FortiGate - New Local User Creation Detection
This brief details the detection of new local user creation on Fortinet FortiGate firewalls, a behavior often leveraged by adversaries for persistence and unauthorized VPN access, underscoring a critical post-exploitation activity for detection engineers.
This threat brief focuses on detecting the creation of new local users on Fortinet FortiGate firewalls, a critical indicator of potential post-compromise activity. While the creation of local users can be legitimate for administrative purposes or VPN access, malicious actors frequently abuse this capability to establish persistence within an environment, maintain access after initial exploitation, or enable unauthorized remote access via VPN. By creating a new, inconspicuous local user, attackers can circumvent existing authentication mechanisms, maintain a backdoor into the network, and potentially escalate privileges. This detection is crucial for security operations centers to identify unauthorized access attempts and potential lateral movement or persistence early in the attack lifecycle, allowing for timely incident response and mitigation.
Impact
The unauthorized creation of local users on a FortiGate firewall can lead to significant impact, including persistent access to the internal network, circumvention of multi-factor authentication, and potential lateral movement to other systems. If successful, attackers can use these newly created accounts to establish VPN connections from outside the network, bypassing perimeter defenses and gaining direct access to sensitive internal resources. This could result in data exfiltration, deployment of malware or ransomware, disruption of critical services, and further compromise of the organizational infrastructure. The primary risk is unauthorized access leading to broader system control and data breaches.
Recommendation
- Deploy the Sigma rule "FortiGate - New Local User Created" to your SIEM and tune it for your environment.
- Investigate all alerts generated by the "FortiGate - New Local User Created" rule immediately to determine the legitimacy of the user creation.
- Review FortiGate configuration changes and audit logs for
action: 'Add'andcfgpath: 'user.local'to ensure all new user accounts are authorized. - Regularly audit existing local user accounts on FortiGate devices to identify any unauthorized or suspicious entries.
Detection coverage 1
FortiGate - New Local User Created
mediumDetects the creation of a new local user on a Fortinet FortiGate Firewall, which could be used for persistence or unauthorized VPN access.
Detection queries are available on the platform. Get full rules →