FortiGate SSO Login Followed by Administrator Account Creation

  1[metadata]
  2creation_date = "2026/01/28"
  3integration = ["fortinet_fortigate"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects a FortiCloud SSO login followed by administrator account creation on the same FortiGate device
 11within 15 minutes. This sequence is a high-confidence indicator of the FG-IR-26-060 attack pattern, where threat
 12actors authenticate via SAML-based SSO bypass and immediately create local administrator accounts for persistence.
 13"""
 14from = "now-30m"
 15index = ["logs-fortinet_fortigate.*"]
 16interval = "10m"
 17language = "eql"
 18license = "Elastic License v2"
 19name = "FortiGate SSO Login Followed by Administrator Account Creation"
 20note = """## Triage and analysis
 21
 22### Investigating FortiGate SSO Login Followed by Administrator Account Creation
 23
 24This alert indicates that a FortiCloud SSO login was followed by an administrator account creation event on the same FortiGate device within 15 minutes. This two-event sequence is the core attack pattern observed in the FG-IR-26-060 campaign.
 25
 26The attack flow is: authenticate via FortiCloud SSO using a crafted SAML assertion, then immediately create local administrator accounts to maintain access even after the SSO vulnerability is patched.
 27
 28### Possible investigation steps
 29
 30- Review the SSO login event for the FortiCloud account used and the source IP. Determine whether the SSO account belongs to the organization.
 31- Check the admin creation event for the names of accounts created and the access profiles assigned (especially super_admin).
 32- Assess the timing between events. In the observed campaign, admin creation occurs within seconds of SSO login. A tight time correlation is a strong indicator of compromise.
 33- Review `observer.name` to identify the targeted device and verify whether FortiCloud SSO is intentionally enabled. Run `get system admin` to list all current administrator accounts.
 34- Check whether the same SSO account or source IP targeted other devices. Look for configuration exports, firewall policy changes, or VPN modifications following the admin creation.
 35
 36### False positive analysis
 37
 38- An authorized administrator logging in via FortiCloud SSO and creating a new admin account as part of normal operations.
 39- Initial device onboarding where SSO login and account setup occur in the same session.
 40
 41### Response and remediation
 42
 43- If unauthorized, delete all administrator accounts created during the session and disable FortiCloud SSO immediately.
 44- Restore configuration from a known-clean backup and rotate all credentials including LDAP/AD accounts connected to the device.
 45- Upgrade FortiOS to a patched version and engage incident response for the affected device and any downstream systems.
 46- If the activity is expected, document the administrative session and verify it was authorized. Consider creating accounts through a separate session to avoid triggering this correlation."""
 47references = [
 48    "https://www.fortiguard.com/psirt/FG-IR-26-060",
 49    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
 50    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
 51    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
 52]
 53risk_score = 73
 54rule_id = "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c"
 55severity = "high"
 56tags = [
 57    "Use Case: Threat Detection",
 58    "Tactic: Persistence",
 59    "Tactic: Initial Access",
 60    "Resources: Investigation Guide",
 61    "Domain: Network",
 62    "Domain: Identity",
 63    "Data Source: Fortinet",
 64    "Data Source: Fortinet FortiGate",
 65]
 66timestamp_override = "event.ingested"
 67type = "eql"
 68
 69query = '''
 70sequence by observer.name with maxspan=15m
 71  [authentication where data_stream.dataset == "fortinet_fortigate.log" and
 72    event.action == "login" and event.outcome == "success" and
 73    (fortinet.firewall.method == "sso" or fortinet.firewall.ui like~ "sso*")]
 74  [any where data_stream.dataset == "fortinet_fortigate.log" and
 75    event.code == "0100044547" and
 76    fortinet.firewall.cfgpath == "system.admin" and
 77    fortinet.firewall.action == "Add"]
 78'''
 79
 80
 81[[rule.threat]]
 82framework = "MITRE ATT&CK"
 83
 84[[rule.threat.technique]]
 85id = "T1136"
 86name = "Create Account"
 87reference = "https://attack.mitre.org/techniques/T1136/"
 88
 89[[rule.threat.technique.subtechnique]]
 90id = "T1136.001"
 91name = "Local Account"
 92reference = "https://attack.mitre.org/techniques/T1136/001/"
 93
 94[rule.threat.tactic]
 95id = "TA0003"
 96name = "Persistence"
 97reference = "https://attack.mitre.org/tactics/TA0003/"
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1190"
104name = "Exploit Public-Facing Application"
105reference = "https://attack.mitre.org/techniques/T1190/"
106
107[rule.threat.tactic]
108id = "TA0001"
109name = "Initial Access"
110reference = "https://attack.mitre.org/tactics/TA0001/"