FortiGate - User Group Modified

calendar Nov 1, 2025 · attack.persistence attack.privilege-escalation  ·
Share on: linkedin copy

Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.

Sigma rule (View on GitHub)

 1title: FortiGate - User Group Modified
 2id: 69ffc84e-8b1a-4024-8351-e018f66b8275
 3status: experimental
 4description: |
 5    Detects the modification of a user group on a Fortinet FortiGate Firewall.
 6    The group could be used to grant VPN access to a network.    
 7references:
 8    - https://www.fortiguard.com/psirt/FG-IR-24-535
 9    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
10    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
11    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
12author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
13date: 2025-11-01
14tags:
15    - attack.persistence
16    - attack.privilege-escalation
17    # - attack.t1098.007
18logsource:
19    product: fortigate
20    service: event
21detection:
22    selection:
23        action: 'Edit'
24        cfgpath: 'user.group'
25    condition: selection
26falsepositives:
27    - A group can be modified for legitimate purposes.
28level: medium

References

Related rules

to-top