FortiGate Administrator Account Creation from Unusual Source

  1[metadata]
  2creation_date = "2026/01/28"
  3integration = ["fortinet_fortigate"]
  4maturity = "production"
  5updated_date = "2026/01/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects FortiGate administrator account creation from a source IP address not previously seen performing
 11admin operations on the device. Threat actors exploiting CVE-2026-24858 (FG-IR-26-060) authenticate via FortiCloud
 12SSO bypass and immediately create local administrator accounts for persistence, typically from infrastructure not
 13associated with normal administrative activity.
 14"""
 15from = "now-9m"
 16index = ["logs-fortinet_fortigate.*"]
 17interval = "5m"
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "FortiGate Administrator Account Creation from Unusual Source"
 21note = """## Triage and analysis
 22
 23### Investigating FortiGate Administrator Account Creation from Unusual Source
 24
 25This alert indicates that an administrator account was created on a FortiGate device from a source IP address that has not been observed performing configuration changes in the recent history window. This is a behavioral indicator of compromise, as threat actors exploiting SSO bypass vulnerabilities typically operate from infrastructure not previously associated with the device.
 26
 27### Possible investigation steps
 28
 29- Review `source.ip` to determine whether the IP address belongs to a known management network or authorized administrator location. Check against known threat infrastructure from The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited.
 30- Examine `fortinet.firewall.cfgobj` for the name of the newly created account and `fortinet.firewall.cfgattr` for the access profile assigned (especially super_admin).
 31- Check `source.user.name` to identify the account that performed the creation and verify whether it was recently created itself or accessed via SSO.
 32- Look for other configuration changes from the same source IP, including firewall policy modifications, configuration exports, or VPN user creation.
 33- Run `get system admin` on the affected FortiGate to list all current administrator accounts and compare against the authorized list.
 34
 35### False positive analysis
 36
 37- Authorized administrators connecting from a new location (VPN, travel, new office).
 38- Initial device setup or migration where configuration changes come from temporary infrastructure.
 39- Managed service providers performing authorized administration from rotating IP addresses.
 40
 41### Response and remediation
 42
 43- If unauthorized, immediately delete the newly created administrator account and audit the source account for compromise.
 44- Block the source IP at the perimeter and check other FortiGate devices for activity from the same IP.
 45- Restore configuration from a known-clean backup and rotate all credentials including LDAP/AD accounts connected to the device.
 46- Upgrade FortiOS to a patched version and disable FortiCloud SSO if not required."""
 47references = [
 48    "https://www.fortiguard.com/psirt/FG-IR-26-060",
 49    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
 50    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
 51    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
 52]
 53risk_score = 47
 54rule_id = "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03"
 55severity = "medium"
 56tags = [
 57    "Use Case: Threat Detection",
 58    "Tactic: Persistence",
 59    "Resources: Investigation Guide",
 60    "Domain: Network",
 61    "Domain: Identity",
 62    "Data Source: Fortinet",
 63    "Data Source: Fortinet FortiGate",
 64]
 65timestamp_override = "event.ingested"
 66type = "new_terms"
 67
 68query = '''
 69event.dataset: "fortinet_fortigate.log" and
 70    event.code: "0100044547" and
 71    fortinet.firewall.cfgpath: "system.admin" and
 72    fortinet.firewall.action: "Add" and
 73    fortinet.firewall.ui: (* and not "")
 74'''
 75
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79[[rule.threat.technique]]
 80id = "T1136"
 81name = "Create Account"
 82reference = "https://attack.mitre.org/techniques/T1136/"
 83[[rule.threat.technique.subtechnique]]
 84id = "T1136.001"
 85name = "Local Account"
 86reference = "https://attack.mitre.org/techniques/T1136/001/"
 87
 88
 89
 90[rule.threat.tactic]
 91id = "TA0003"
 92name = "Persistence"
 93reference = "https://attack.mitre.org/tactics/TA0003/"
 94
 95[rule.new_terms]
 96field = "new_terms_fields"
 97value = ["fortinet.firewall.ui"]
 98[[rule.new_terms.history_window_start]]
 99field = "history_window_start"
100value = "now-5d"