FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
Sigma rule (View on GitHub)
1title: FortiGate - New Administrator Account Created
2id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
3status: experimental
4description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
5references:
6 - https://www.fortiguard.com/psirt/FG-IR-24-535
7 - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
8 - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
9 - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
10author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
11date: 2025-11-01
12tags:
13 - attack.persistence
14 - attack.t1136.001
15logsource:
16 product: fortigate
17 service: event
18detection:
19 selection:
20 action: 'Add'
21 cfgpath: 'system.admin'
22 condition: selection
23falsepositives:
24 - An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
25level: medium
References
-
Secure Networking Unified SASE Security Operations Public Cloud Private Cloud FortiCloud Secure SD-WAN Secure Access Service Edge (SASE) ZTNA LAN Edge Identity and Access Management Next Generation...
Read More -
accprofile Access profile for this administrator. Access profiles control administrator access to FortiGate features. string Maximum length: 35 accprofile-override Enable to use the name of an acce...
Read More -
uuid string 37 cfgattr Configuration attribute string 4096 cfgobj Configuration object string 256 cfgpath Configuration path string 128 cfgtid Config transaction id uint32 10 msg Log Message string...
Read More
Related rules
- FortiGate - New Local User Created
- Cisco Local Accounts
- Privileged User Has Been Created
- User Added to Remote Desktop Users Group
- DarkGate - User Created Via Net.EXE