FortiGate - New Local User Created

calendar Nov 1, 2025 · attack.persistence attack.t1136.001  ·
Share on: linkedin copy

Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.

Sigma rule (View on GitHub)

 1title: FortiGate - New Local User Created
 2id: ddbbe845-1d74-43a8-8231-2156d180234d
 3status: experimental
 4description: |
 5    Detects the creation of a new local user on a Fortinet FortiGate Firewall.
 6    The new local user could be used for VPN connections.    
 7references:
 8    - https://www.fortiguard.com/psirt/FG-IR-24-535
 9    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
10    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
11    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
12author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
13date: 2025-11-01
14tags:
15    - attack.persistence
16    - attack.t1136.001
17logsource:
18    product: fortigate
19    service: event
20detection:
21    selection:
22        action: 'Add'
23        cfgpath: 'user.local'
24    condition: selection
25falsepositives:
26    - A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.
27level: medium

References

Related rules

to-top