FortiGate SSO Login Followed by Administrator Account Creation

 1[metadata]
 2creation_date = "2026/01/28"
 3integration = ["fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/01/28"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects a FortiCloud SSO login followed by administrator account creation on the same FortiGate device
11within 15 minutes. This sequence is a high-confidence indicator of the FG-IR-26-060 attack pattern, where threat
12actors authenticate via SAML-based SSO bypass and immediately create local administrator accounts for persistence.
13"""
14from = "now-30m"
15index = ["logs-fortinet_fortigate.*"]
16interval = "10m"
17language = "eql"
18license = "Elastic License v2"
19name = "FortiGate SSO Login Followed by Administrator Account Creation"
20note = """## Triage and analysis
21
22### Investigating FortiGate SSO Login Followed by Administrator Account Creation
23
24This alert indicates that a FortiCloud SSO login was followed by an administrator account creation event on the same FortiGate device within 15 minutes. This two-event sequence is the core attack pattern observed in the FG-IR-26-060 campaign.
25
26The attack flow is: authenticate via FortiCloud SSO using a crafted SAML assertion, then immediately create local administrator accounts to maintain access even after the SSO vulnerability is patched.
27
28### Possible investigation steps
29
30- Review the SSO login event for the FortiCloud account used and the source IP. Determine whether the SSO account belongs to the organization.
31- Check the admin creation event for the names of accounts created and the access profiles assigned (especially super_admin).
32- Assess the timing between events. In the observed campaign, admin creation occurs within seconds of SSO login. A tight time correlation is a strong indicator of compromise.
33- Review `observer.name` to identify the targeted device and verify whether FortiCloud SSO is intentionally enabled. Run `get system admin` to list all current administrator accounts.
34- Check whether the same SSO account or source IP targeted other devices. Look for configuration exports, firewall policy changes, or VPN modifications following the admin creation.
35
36### False positive analysis
37
38- An authorized administrator logging in via FortiCloud SSO and creating a new admin account as part of normal operations.
39- Initial device onboarding where SSO login and account setup occur in the same session.
40
41### Response and remediation
42
43- If unauthorized, delete all administrator accounts created during the session and disable FortiCloud SSO immediately.
44- Restore configuration from a known-clean backup and rotate all credentials including LDAP/AD accounts connected to the device.
45- Upgrade FortiOS to a patched version and engage incident response for the affected device and any downstream systems.
46- If the activity is expected, document the administrative session and verify it was authorized. Consider creating accounts through a separate session to avoid triggering this correlation."""
47references = [
48    "https://www.fortiguard.com/psirt/FG-IR-26-060",
49    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
50    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
51    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
52]
53risk_score = 73
54rule_id = "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c"
55severity = "high"
56tags = [
57    "Use Case: Threat Detection",
58    "Tactic: Persistence",
59    "Resources: Investigation Guide",
60    "Domain: Network",
61    "Domain: Identity",
62    "Data Source: Fortinet",
63    "Data Source: Fortinet FortiGate",
64]
65timestamp_override = "event.ingested"
66type = "eql"
67
68query = '''
69sequence by observer.name with maxspan=15m
70  [authentication where event.dataset == "fortinet_fortigate.log" and
71    event.action == "login" and event.outcome == "success" and
72    (fortinet.firewall.method == "sso" or fortinet.firewall.ui like~ "sso*")]
73  [any where event.dataset == "fortinet_fortigate.log" and
74    event.code == "0100044547" and
75    fortinet.firewall.cfgpath == "system.admin" and
76    fortinet.firewall.action == "Add"]
77'''
78
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1136"
84name = "Create Account"
85reference = "https://attack.mitre.org/techniques/T1136/"
86[[rule.threat.technique.subtechnique]]
87id = "T1136.001"
88name = "Local Account"
89reference = "https://attack.mitre.org/techniques/T1136/001/"
90
91
92
93[rule.threat.tactic]
94id = "TA0003"
95name = "Persistence"
96reference = "https://attack.mitre.org/tactics/TA0003/"