Sigma rules for CVE-2005-3057
7 rules · scoped to cve · back to CVE-2005-3057
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: FortiGate - New Firewall Policy Added
id: f24ab7a8-f09a-4319-82c1-915586aa642b
status: experimental
description: Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'firewall.policy'
condition: selection
falsepositives:
- A firewall policy can be added for legitimate purposes.
level: medium
title: FortiGate - New Local User Created
id: ddbbe845-1d74-43a8-8231-2156d180234d
status: experimental
description: |
Detects the creation of a new local user on a Fortinet FortiGate Firewall.
The new local user could be used for VPN connections.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'user.local'
condition: selection
falsepositives:
- A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.
level: medium
title: FortiGate - Firewall Address Object Added
id: 5c8d7b41-3812-432f-a0bb-4cfb7c31827e
status: experimental
description: Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'firewall.address'
condition: selection
falsepositives:
- An address could be added or deleted for legitimate purposes.
level: medium
title: FortiGate - New Administrator Account Created
id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
status: experimental
description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'system.admin'
condition: selection
falsepositives:
- An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
level: medium
title: FortiGate - User Group Modified
id: 69ffc84e-8b1a-4024-8351-e018f66b8275
status: experimental
description: |
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.privilege-escalation
# - attack.t1098.007
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Edit'
cfgpath: 'user.group'
condition: selection
falsepositives:
- A group can be modified for legitimate purposes.
level: medium
title: FortiGate - VPN SSL Settings Modified
id: 8b5dacf2-aeb7-459d-b133-678eb696d410
status: experimental
description: |
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
This behavior was observed in pair with the addition of a VPN SSL Web Portal.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Edit'
cfgpath: 'vpn.ssl.settings'
condition: selection
falsepositives:
- VPN SSL settings can be changed for legitimate purposes.
level: medium
title: FortiGate - New VPN SSL Web Portal Added
id: 2bfb6216-0c31-4d20-8501-2629b29a3fa2
status: experimental
description: |
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'vpn.ssl.web.portal'
condition: selection
falsepositives:
- A VPN SSL Web Portal can be added for legitimate purposes.
level: medium