FortiGate - VPN SSL Settings Modified

calendar Nov 1, 2025 · attack.persistence attack.initial-access attack.t1133  ·
Share on: linkedin copy

Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.

Sigma rule (View on GitHub)

 1title: FortiGate - VPN SSL Settings Modified
 2id: 8b5dacf2-aeb7-459d-b133-678eb696d410
 3status: experimental
 4description: |
 5    Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
 6    This behavior was observed in pair with the addition of a VPN SSL Web Portal.    
 7references:
 8    - https://www.fortiguard.com/psirt/FG-IR-24-535
 9    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
10    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
11    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
12author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
13date: 2025-11-01
14tags:
15    - attack.persistence
16    - attack.initial-access
17    - attack.t1133
18logsource:
19    product: fortigate
20    service: event
21detection:
22    selection:
23        action: 'Edit'
24        cfgpath: 'vpn.ssl.settings'
25    condition: selection
26falsepositives:
27    - VPN SSL settings can be changed for legitimate purposes.
28level: medium

References

Related rules

to-top