Detection Rules for Fortinet Firewalls
High
Detects potential exploitation attempts targeting CVE-2025-64446, a critical path traversal vulnerability affecting Fortinet FortiWeb Web Application Firewalls (WAF).An adversary can abuse this flaw, which requires no authentication, to create new, unauthorized administrative user accounts on the exposed device.This provides the threat actor with full administrative control over the security appliance, allowing them to bypass security policies, neutralize the WAF, and establish a persistent backdoor for further network intrusions.
Discovery (T1083)
syslog_type:fortinet AND httpmethod:POST AND !action:blocked AND !action:block AND !action:reset AND !action:drop AND !action:dropped AND (url:/\/system\/admin%3F/ OR url:/\/cgi\-bin\/fwbcgi/)
Detects when FortiGate Wireless IDS identifies an incident where a legitimate wireless client associates with a rogue or unauthorized access point (AP), a behavior known as valid client misassociation.Attackers may set up malicious APs to impersonate trusted networks, tricking legitimate clients into connecting.This tactic is commonly used in evil twin attacks to intercept traffic, harvest credentials, or inject malicious payloads. Identifying such associations is essential to safeguarding wireless network integrity and preventing data leakage.
Credential Access (T1557)Credential Access (T1040)Resource Development (T1584)
syslog_type:fortinet AND logdesc:"Wireless valid_client_misassoc detected"
Detects when FortiGate Wireless IDS identifies abnormal surges of wireless management frames, such as authentication, association, or probe requests, which may indicate a management frame flooding attack.Adversaries use this technique to disrupt wireless network operations, exhaust access point resources, or perform denial-of-service (DoS) attacks.Continuous monitoring of management frame activity helps with the early identification and mitigation of wireless network disruptions.
Impact (T1498)Resource Development (T1584)
syslog_type:fortinet AND logdesc:"Wireless management flooding detected"
Detects a flood of EAPOL (Extensible Authentication Protocol over LAN) packets on the wireless network identified by FortiGate Wireless IDS.Such flooding can exhaust network resources, disrupt normal authentication processes, or exploit weaknesses in WPA/WPA2 handshakes.Monitoring for this behavior is crucial to maintaining secure and stable wireless authentication services in enterprise environments.
syslog_type:fortinet AND logdesc:"Wireless EAPOL packet flooding detected"
Detects the rogue access point (AP) in the network as reported by FortiGate Wireless IDS.Rogue APs are unauthorized wireless access points connected to a network, often used by attackers to bypass security controls, capture sensitive data, or conduct man-in-the-middle attacks.Detection of rogue APs is critical to maintaining wireless network integrity and preventing unauthorized access.
Resource Development (T1584)Credential Access (T1557)
syslog_type:fortinet AND (logdesc:"Rogue AP detected" OR logdesc:"Rogue AP activity" OR logdesc:"Rogue AP on air" OR logdesc:"Fake AP on air" OR logdesc:"Fake AP detected" OR logdesc:"Offending AP on air" OR logdesc:"Offending AP detected")
Detects a long duration attack on the wireless network identified by FortiGate Wireless IDS.These attacks often involve persistent connections to rogue access points or the use of compromised clients to maintain unauthorized access over an extended period.Such activity may be used by adversaries for sustained data exfiltration, network reconnaissance, or to establish footholds in the environment.Monitoring these patterns is crucial to detecting stealthy and persistent wireless threats.
Impact (T1498)
syslog_type:fortinet AND logdesc:"Wireless long duration attack detected"
Detects the virus in the network identified by FortiGate Firewall.This may indicate the presence of malware or a malicious file attempting to execute or transfer within the network.Threat actors may use malware to gain access, maintain persistence, or exfiltrate data. Monitoring such events can help identify compromised systems or prevent further infection spread.
Execution (T1204)
syslog_type:fortinet AND subtype:"virus" AND !action:"blocked"
Detects potential wireless-based security threats as identified by FortiGate Wireless IDS.These threats may include spoofed access points, EAPOL flooding, deauthentication attacks, or other suspicious wireless behaviors.Monitoring such events is critical to protecting against wireless intrusion attempts, maintaining the integrity of the Wi-Fi network, and preventing unauthorized access or denial-of-service conditions caused by malicious actors.
Credential Access (T1557)Credential Access (T1040)
syslog_type:fortinet AND logdesc:"Wireless threat detected"
Detects instances where a FortiGate Wireless IDS identifies a client with an invalid or unrecognized MAC Organizationally Unique Identifier (OUI).This may indicate the presence of unauthorized, rogue, or potentially malicious devices attempting to connect to the wireless network.Monitoring for invalid MAC OUIs helps strengthen network access controls and prevent unauthorized access.
Credential Access (T1557)
syslog_type:fortinet AND logdesc:"Wireless invalid MAC OUI detected"
Detects the presence of an Asleap attack in a wireless network identified by FortiGate Wireless IDS.Asleap is a tool used to exploit weak authentication in LEAP (Lightweight Extensible Authentication Protocol), potentially allowing attackers to capture and crack wireless credentials.Monitoring for this activity helps identify unauthorized attempts to compromise wireless network security and protect sensitive credentials.
Credential Access (T1110)
syslog_type:fortinet AND logdesc:"Wireless Asleap attack detected"
Detects when FortiGate Intrusion Prevention System (IPS) identifies access to a known malicious URL.This activity may indicate attempts to connect to command and control infrastructure, deliver malware, or exfiltrate data.Monitoring these detections helps identify potential threats, prevent compromise, and maintain network security.
Execution (T1204)Initial Access (T1566)Command and Control (T1071)
syslog_type:fortinet AND subtype:"ips" AND attack:"malicious-url" AND action:"detected"
Detects botnet-related activity identified by FortiGate Intrusion Prevention System (IPS). This may indicate that a host within the network is communicating with known botnet command and control servers or exhibiting behavior consistent with botnet infections. Monitoring these events helps identify compromised systems, prevent data exfiltration, and mitigate the spread of malicious activity within the environment.
Command and Control (T1071)Resource Development (T1584)
syslog_type:fortinet AND subtype:"ips" AND attack:"botnet" AND action:"detected"
Medium
Detects the creation of a new administrator user account on a Fortinet FortiGate device originating from a public IP address.An adversary who gains access to the management interface may create unauthorized admin accounts to establish persistent, privileged control over the firewall.By creating these accounts from external or atypical network locations, attackers can maintain long-term access, modify security policies, exfiltrate sensitive data, or prepare the environment for additional malicious activity.
Persistence (T1098)
syslog_type:fortinet AND subtype:"system" AND logdesc:"Object attribute configured" AND action:"Add" AND cfgpath:"system.admin"
Detects attempts to download a FortiGate configuration file from an external or publicly accessible network source.Adversaries may abuse this behavior to obtain sensitive configuration data, including administrative credentials, network topology details, VPN settings, or firewall policies.Access to this information can enable further compromise through targeted lateral movement, privilege escalation, or tailored exploitation of exposed services.
Collection (T1602)
syslog_type:fortinet AND msg:"System config file has been downloaded" AND status:"success"
Detects wireless access points using weak or deprecated encryption protocols, as reported by FortiGate Wireless IDS.Risky encryption methods, such as WEP or misconfigured WPA settings, may allow adversaries to eavesdrop on network traffic or perform cryptographic attacks to gain unauthorized access.Identifying and remediating such vulnerabilities is essential to ensure wireless network confidentiality and compliance with security best practices.
Credential Access (T1040)Credential Access (T1557)
syslog_type:fortinet AND (logdesc:"Wireless risky_encryption detected" OR logdesc:"Wireless Weak WEP IV detected")
Detects a super admin login attempt to a FortiGate firewall originating from a suspicious or public IP address.This may indicate an attempt to exploit CVE-2025-24472 which allows unauthenticated attackers to gain super admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces.
Initial Access (T1190)
syslog_type:fortinet AND subtype:"system" AND logdesc:"Admin login successful" AND profile:"super_admin" AND method:"jsconsole" AND status:"success" AND srcip_reserved_ip:false
Was this article helpfu?
Thank you for voting
You are related to multiple companies. Please select the company you wish to login as.