FortiGate SOCKS Traffic from an Unusual Process

 1[metadata]
 2creation_date = "2025/11/17"
 3integration = ["endpoint", "fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/02/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
11source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
12or act as an intermediary for network communications to a command and control server to avoid direct connections to their
13infrastructure.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.network-*", "logs-fortinet_fortigate.log-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "FortiGate SOCKS Traffic from an Unusual Process"
20references = [
21    "https://attack.mitre.org/techniques/T1090/",
22    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
23    "https://www.elastic.co/docs/reference/integrations/endpoint"
24]
25risk_score = 47
26rule_id = "6926b708-7964-425f-bed8-6e006379df08"
27severity = "medium"
28tags = [
29    "Domain: Endpoint",
30    "OS: Linux",
31    "OS: Windows",
32    "OS: macOS",
33    "Use Case: Threat Detection",
34    "Tactic: Command and Control",
35    "Data Source: Elastic Defend",
36    "Data Source: Fortinet",
37    "Resources: Investigation Guide",
38]
39type = "eql"
40query = '''
41sequence by source.port, source.ip, destination.ip with maxspan=1m
42 [network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
43 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
44'''
45note = """## Triage and analysis
46
47### Investigating FortiGate SOCKS Traffic from an Unusual Process
48
49### Possible investigation steps
50
51- Review the process details like command_line, privileges, global relevance and reputation.
52- Review the parent process execution details like command_line, global relevance and reputation.
53- Examine all network connection details performed by the process during last 48h.
54- Examine all localhost network connections performed by the same process to verify if there is any port forwarding with another process on the same machine.
55- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
56
57### False positive analysis
58
59- Browser proxy extensions and Add-ons.
60- Development and deployment tools.
61- Third party trusted tools using SOCKS for network communication.
62
63### Response and remediation
64
65- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
66- Terminate the suspicious processes and all associated children and parents.
67- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
68- Reset credentials for any accounts associated with the source machine.
69- Implement network-level controls to block traffic via SOCKS unless authorized.
70- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
71"""
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75
76[[rule.threat.technique]]
77id = "T1090"
78name = "Proxy"
79reference = "https://attack.mitre.org/techniques/T1090/"
80
81
82[rule.threat.tactic]
83id = "TA0011"
84name = "Command and Control"
85reference = "https://attack.mitre.org/tactics/TA0011/"