Campaigns
FortiGate Edge Device Compromise Leading to Active Directory

FortiGate Edge Device Compromise Leading to Active Directory

FortiGate ExploitationActive Directory CompromiseCredential Theft
Threat actors exploited FortiGate vulnerabilities to gain initial access, steal service account credentials, and establish rogue workstations. This led to deep Active Directory compromise, RMM tool deployment, and NTDS.dit file exfiltration. Insufficient logging hindered full incident reconstruction.

Indicators of Compromise

neremedysoft.com
ndibsterso.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

DETECTION


 

ID

Data Source

Data Component

Detects

DET0080

Application Log, Process, Network Traffic

Application Activity, Process Creation, Network Connection

Exploit Public-Facing Application (T1190, T1203, T1068): Detects exploitation attempts against internet-facing applications by correlating abnormal inbound request patterns, elevated application error rates (4xx/5xx), and the server process spawning shells or initiating outbound callbacks.

DET0317

Process, Service, Registry, Command

Process Termination, Service Modification, Registry Modification, Command Execution

Impair Defenses (T1562): Identifies adversary attempts to disable or tamper with defensive controls before executing the core attack. Covers AV/EDR process termination, Windows Event Log disablement, audit policy modification, and security daemon disruption.

DET0830

Network Traffic

Network Connection, Network Flow

Active Scanning (T1595): Monitors external network traffic for scanning behaviors indicative of adversary pre-compromise reconnaissance, including automated port sweeps, vulnerability probing, and protocol fingerprinting utilizing perimeter sensors and IDS.

Observed Countries2

KZ (716)
UA (840)