
FortiGate Edge Device Compromise Leading to Active Directory
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
DETECTION
ID | Data Source | Data Component | Detects |
DET0080 | Application Log, Process, Network Traffic | Application Activity, Process Creation, Network Connection | Exploit Public-Facing Application (T1190, T1203, T1068): Detects exploitation attempts against internet-facing applications by correlating abnormal inbound request patterns, elevated application error rates (4xx/5xx), and the server process spawning shells or initiating outbound callbacks. |
DET0317 | Process, Service, Registry, Command | Process Termination, Service Modification, Registry Modification, Command Execution | Impair Defenses (T1562): Identifies adversary attempts to disable or tamper with defensive controls before executing the core attack. Covers AV/EDR process termination, Windows Event Log disablement, audit policy modification, and security daemon disruption. |
DET0830 | Network Traffic | Network Connection, Network Flow | Active Scanning (T1595): Monitors external network traffic for scanning behaviors indicative of adversary pre-compromise reconnaissance, including automated port sweeps, vulnerability probing, and protocol fingerprinting utilizing perimeter sensors and IDS. |