{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1136.001/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FortiGate Firewall"],"_cs_severities":["medium"],"_cs_tags":["attack.persistence","attack.t1136.001","network-device","fortinet"],"_cs_type":"advisory","_cs_vendors":["Fortinet"],"content_html":"\u003cp\u003eThis detection brief focuses on identifying the creation of new administrator accounts on Fortinet FortiGate firewall devices. Attackers frequently use the creation of new user accounts, particularly those with administrative privileges, as a post-exploitation technique to establish persistence and ensure continued access to compromised environments. While legitimate administrator accounts are routinely created for operational purposes, an unauthorized account creation can signify a successful breach, an insider threat, or the escalation of privileges within the network. This alert is crucial for defenders to identify suspicious activity that could lead to unauthorized configuration changes, data exfiltration, or further network compromise. The provided Sigma rule leverages FortiGate's event logs to pinpoint these critical configuration changes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e[The source material for this brief focuses on a specific detection capability rather than detailing a full attack chain. Therefore, a complete attack chain cannot be constructed.]\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf an unauthorized administrator account is successfully created on a FortiGate firewall, attackers gain full control over the network's security perimeter. This can lead to a wide range of devastating impacts, including the disablement of security features (e.g., VPNs, IPS, antivirus), creation of rogue network access rules, redirection of traffic, exfiltration of sensitive data, or complete disruption of network services. Such an event provides attackers with a stealthy and persistent foothold, making detection and remediation significantly more challenging and potentially leading to extensive financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;FortiGate - New Administrator Account Created\u0026quot; to your SIEM and tune for your environment to detect unauthorized account creations.\u003c/li\u003e\n\u003cli\u003eEnsure FortiGate event logging is properly configured and integrated with your SIEM to capture \u003ccode\u003ecfgpath: 'system.admin'\u003c/code\u003e events.\u003c/li\u003e\n\u003cli\u003eRegularly review FortiGate access logs for unusual login patterns, especially from newly created accounts.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all administrative accounts on FortiGate devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:52:26Z","date_published":"2026-07-03T13:52:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-fortigate-new-admin-account/","summary":"This brief describes how to detect the creation of new administrator accounts on Fortinet FortiGate firewalls, a behavior often used by attackers for persistence (ATT\u0026CK T1136.001) or to maintain unauthorized access after initial compromise.","title":"FortiGate - New Administrator Account Created","url":"https://feed.craftedsignal.io/briefs/2026-07-fortigate-new-admin-account/"}],"language":"en","title":"CraftedSignal Threat Feed - Attack.t1136.001","version":"https://jsonfeed.org/version/1.1"}