FortiGate Edge Device Compromise Leads to AD Takeover

Published Date: March 11, 2026

Category: ShadowOpsIntel

SentinelOne DFIR investigated multiple incidents in early 2026 where attackers compromised FortiGate Next-Generation Firewall appliances to gain initial access into enterprise environments. Exploitation of Fortinet vulnerabilities allowed attackers to extract configuration files containing encrypted service account credentials. Once decrypted, these credentials were used to authenticate to AD and establish deeper access. Threat actors created rogue domain workstations, deployed remote management tools, and attempted credential harvesting from domain controllers. The activity demonstrates how compromised network edge devices can become a pivot point for full domain compromise and data exfiltration.

Severity: Critical

Threat Details

Incident 1: Stealthy Persistence & Rogue Workstations

Initial Access: Attackers gained administrative access to FortiGate appliances primarily through SSO authentication vulnerabilities and weak credential exposure.

Likely occurred in late November 2025. The attacker created a local admin account named “support” and 4 new firewall policies to maintain a foothold.

Credential Harvesting: In February 2026, the actor decrypted the FortiGate configuration to steal fortidcagent LDAP credentials.
Lateral Movement: The attacker joined two rogue workstations (WIN-X8WRBOSKOOF and WIN-YRSXLEONJY2) to the AD using the mS-DS-MachineAccountQuota attribute.
Discovery: Used SoftPerfect Network Scanner for enumeration and attempted password spraying from the appliance IP.

Incident 2: Rapid Escalation & Data Theft

Initial Access: Attackers accessed the organization’s FortiGate appliance and created a local admin account named ssl-admin.
Credential Harvesting: Stole Domain Administrator credentials from the configuration file.
Execution & Persistence:
- Logged into servers via RDP within 10 minutes of initial access.
- Deployed RMM tools Pulseway and MeshAgent to establish a deeper foothold.
- Used DLL side-loading (masking malware as Java files) to execute payloads.
Exfiltration: Created a Volume Shadow Copy of the Primary Domain Controller to extract the NTDS.dit file and SYSTEM registry hive, likely exfiltrating them via a Cloudflare-owned IP.

Vulnerabilities & Exploitation Methods

CVE	Description
CVE-2025-59718 / 59719	SSO mechanisms fail to validate signatures, allowing unauthenticated admin access via crafted tokens.
CVE-2026-24858	Allows login to devices with FortiCloud SSO enabled using an attacker’s account.
Weak Credentials	Actors scan for open instances to log in using common or weak passwords.
Reversible Encryption	FortiOS configuration files use reversible encryption, allowing attackers to view embedded service account passwords.

Recommendations

Organizations should ensure that all FortiGate appliances are running the latest firmware versions and immediately apply patches for vulnerabilities associated with the attack, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
Alert on Log ID 0100032095, which signals that the system configuration file containing sensitive service account credentials has been exported.
Search for Log ID 0100032001 (successful SSO admin login) and verify if the usernames match known malicious patterns like cloud-init[@]mail[.]io or cloud-noc[@]mail[.]io.
Alert on Log ID 0100044547 (object attribute configured) where the configuration path is user.local or system.admin, as attackers often create “backdoor” accounts like support or ssl-admin.
Analyze VPN Tunnel Logs: Correlate Log ID 0101039424 (SSL VPN up) or Log ID 0101037138 (IPsec tunnel up) with the remip field to identify the attacker’s source IP for further tracking.
Monitor for Windows Event ID 4741 (Computer account created). This is a high-fidelity alert if the Subject: Security ID matches a FortiGate LDAP service account rather than a legitimate admin.
Audit Directory Service Changes: Enable advanced auditing to watch for Event ID 5136, which can show missing Service Principal Names (SPNs) or modified User Account Control (UAC) values, indicators of automated tools like Impacket.
Identify Malicious Computer Objects: Regularly query AD for new computer objects where the mS-DS-CreatorSID belongs to the Fortinet LDAP service account or where SPNs are suspiciously absent.
Look for the use of WMIC to create Volume Shadow Copies.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/6105363c88b239ab97e6876eb0967261cb7be0d9aef706d9f93828215b34d65c/iocs

IOCs

Domain:	ndibstersoft[.]com
Domain:	neremedysoft[.]com
Domain:	fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com
IP:	185.156.73[.]62
IP:	185.242.246[.]127
IP:	193.24.211[.]61
URL:	hxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip
URL:	hxxps://storage.googleapis[.]com/apply-main/windows_agent_x64[.]msi

Mitre Att&Ck

Tactic	Technique	ID
Initial Access	Exploit Public-Facing Application	T1190
Initial Access	Valid Accounts	T1078
Persistence	Create Account	T1136
Persistence	Scheduled Task/Job: Scheduled Task	T1053.005
Privilege Escalation	Domain Accounts	T1078.002
Defense Evasion	Obfuscated/Compressed Files	T1027
Defense Evasion	Hijack Execution Flow: DLL	T1574.002
Defense Evasion	Impair Defenses	T1562.001
Discovery	Network Service Scanning	T1046
Discovery	Account Discovery	T1087
Lateral Movement	Remote Services: Remote Desktop Protocol	T1021.001
Execution	Service Execution	T1569.002
Command and Control	Application Layer Protocol: Web Protocols	T1071.001
Command and Control	Ingress Tool Transfer	T1105
Credential Access	OS Credential Dumping: NTDS	T1003.003
Credential Access	Credential Dumping	T1003
Collection	Data from Local System	T1005
Exfiltration	Exfiltration Over C2 Channel	T1041

Source:

https://www.sentinelone.com/blog/fortigate-edge-intrusions/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.