Added new Fortinet Fortigate rules #5197
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome @inthecyber 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
frack113
requested changes
Feb 21, 2025
frack113
added
Author Input Required
Co-authored-by: frack113 <[email protected]>
Co-authored-by: frack113 <[email protected]>
Co-authored-by: frack113 <[email protected]>
|
I think the problem is in the ATT&CK version used, the subtechnique T1098.007 is available only since v16 (in v15 is missing) |
frack113
approved these changes
Feb 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Adds several new rules related to Fortinet Fortigate Firewall Rules related to https://www.fortiguard.com/psirt/FG-IR-24-535
Changelog
new: Potential Persistence via New Local User Creation - Fortinet Fortigate Firewall
new:Potential Persistence via New Admin User Creation - Fortinet Fortigate Firewall
new:Potential Persistence via User Group Modification - Fortinet Fortigate Firewall
new:Potential Defense Evasion via Addition of Firewall Address Object - Fortinet Fortigate Firewall
new:Potential Remote Services Abuse via Addition of VPN SSL Web Portal - Fortinet Fortigate Firewall
new:Potential Remote Services Abuse via Modification of VPN SSL Settings - Fortinet Fortigate Firewall
new:Potential Defense Evasion via Firewall Policy Addition - Fortinet Fortigate Firewall
Example Log Event
new:Potential Persistence via New Local User Creation - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=09:26:15 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740039975614810031 tz="+0100" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Add" cfgtid=9503032 cfgpath="user.local" cfgobj="userlocal-test" cfgattr="type[password]passwd[*]" msg="Add user.local userlocal-test"new:Potential Persistence via New Admin User Creation - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=09:23:57 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740039837394811711 tz="+0100" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Add" cfgtid=9503031 cfgpath="system.admin" cfgobj="admin_test" cfgattr="accprofile[prof_admin]vdom[root]gui-global-menu-favorites[]gui-vdom-menu-favorites[]password[*]" msg="Add system.admin admin_test"new:Potential Persistence via User Group Modification - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=10:09:30 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740042570164823711 tz="+0100" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Edit" cfgtid=9503050 cfgpath="user.group" cfgobj="group-test" cfgattr="member[userlocal-test->userlocal-test user-test2]" msg="Edit user.group group-test"new:Potential Defense Evasion via Addition of Firewall Address Object - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=09:34:17 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740040456994829291 tz="+0100" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Add" cfgtid=9503035 uuid="77a21396-ef65-51ef-8203-730f3c7d7e7d" cfgpath="firewall.address" cfgobj="192_all_iZ" cfgattr="subnet[192.168.0.0 255.255.0.0]" msg="Add firewall.address 192_all_iZ"new:Potential Remote Services Abuse via Addition of VPN SSL Web Portal - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=09:35:05 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740040505314840911 tz="+0100" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Add" cfgtid=9503036 cfgpath="vpn.ssl.web.portal" cfgobj="tunnel-test" cfgattr="tunnel-mode[enable]web-mode[enable]ip-pools[SSLVPN_TUNNEL_SUBNET1]split-tunneling-routing-address[10_all_iZ 172_all_iZ 192_all_iZ]bookmark-group:gui-bookmarks[]" msg="Add vpn.ssl.web.portal tunnel-test"new:Potential Remote Services Abuse via Modification of VPN SSL Settings - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=09:35:24 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740040524444853331 tz="+0100" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Edit" cfgtid=9503046 cfgpath="vpn.ssl.settings" cfgattr="authentication-rule:9[source-interface[]users[userlocal-test]groups[]portal[tunnel-test]]" msg="Edit vpn.ssl.settings "new:Potential Defense Evasion via Firewall Policy Addition - Fortinet Fortigate Firewall
<190>date=2025-02-20 time=09:40:59 devname="<REDACTED>" devid="<REDACTED>" eventtime=1740040859104834851 tz="+0100" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(<REDACTED>)" action="Add" cfgtid=9503047 uuid="67496868-ef66-51ef-4a52-f5fae30a4e10" cfgpath="firewall.policy" cfgobj="132" cfgattr="name[Policy VPN Test]srcintf[ssl.root]dstintf[<REDACTED>]action[accept]srcaddr[SSLVPN_TUNNEL_SUBNET1]dstaddr[10_all_iZ 172_all_iZ 192_all_iZ]srcaddr6[]dstaddr6[]src-vendor-mac[]schedule[always]service[ALL]groups[]users[userlocal-test]fsso-groups[]custom-log-fields[]" msg="Add firewall.policy 132"Fixed Issues
SigmaHQ Rule Creation Conventions
Important:
I think the sigma taxonomy should be updated by including "product: fortigate" under "category: firewall", now I used
category: firewallbut the rules would work only on Elasticsearch, if you think the rules logic is ok we can work together on defining the new taxonomy