External threat templates
Templates for building policies to protect against hostile external threats.
Chrome password store accessed by unauthorized process
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 6.0.3 or later
Detects when an unauthorized process opens or modifies a user's Chrome saved password file.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to read Chrome password files. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0006 (Credential Access)
attack.mitre.org/tactics/TA0006/ |
T1555 (Credentials from Password Stores)
attack.mitre.org/techniques/T1555/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Compressed file created
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 7.8.0 or later
Detects when a user compresses an unauthorized file using Explorer (Windows), Finder (macOS), or the zip command (Linux).
|
Use the "File parameters" and "File origin parameters" to configure which files are authorized or unauthorized to be compressed. If the "File parameters" and "File origin parameters" are left empty, detections will be generated when any file is compressed. |
|
|
This policy only monitors the creation of ZIP files. |
| Parameter | Type | Description |
|---|---|---|
| File parameters | ||
| File paths | Advanced asset list | A list of file path expressions that users are authorized or unauthorized to compress. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .pdf) that users are authorized or unauthorized to compress. The dot can be omitted, and case-insensitive matching is used. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1027 (Obfuscated Files or Information)
attack.mitre.org/techniques/T1027/ |
|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1560 (Archive Collected Data)
attack.mitre.org/techniques/T1560/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Connection made to malicious Wi-Fi network
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Detects when a user connects to a malicious Wi-Fi network.
Malicious networks are determined by the network BSSID. The following Wi-Fi networks are considered to be malicious:
- Pineapple Wi-Fi, with BSSID starting 00:13:37, 00:aa:ff.
- Alfa Wireless, with BSSID starting 00:c0:ca.
- Generic spoofed Wi-Fi with BSSID starting 00:1c:3f, 00:00:00, 00:11:22, 11:22:33, ff:ff:ff.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1200 (Hardware Additions)
attack.mitre.org/techniques/T1200/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by Wi-Fi SSID | Disabled |
| Cluster by Wi-Fi BSSID | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Dangerous file downloaded using Chrome
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 6.0.3 or later
Detects when a user downloads an unsafe file, as identified by Chrome's Safe Browsing feature.
| Parameter | Type | Description |
|---|---|---|
| Website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps on which dangerous downloads are authorized or unauthorized. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites on which dangerous downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| URL regex patterns | Advanced asset list | A list of URLs from which dangerous downloads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead. |
| File parameters | ||
| File names | Advanced asset list | A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0042 (Resource Development)
attack.mitre.org/tactics/TA0042/ |
T1588 (Obtain Capabilities)
attack.mitre.org/techniques/T1588/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by domain name | Enabled |
| Cluster by filename | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
DSRM account password changed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user changes a Directory Service Restore Mode account password.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1098 (Account Manipulation)
attack.mitre.org/techniques/T1098/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
ETW event detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when an Event Tracing for Windows (ETW) event with a specified provider GUID and event ID is logged.
|
|
Certain events are only logged when enabled in Windows Group Policy settings or other third party software. |
| Parameter | Type | Description |
|---|---|---|
| Event parameters | ||
| ETW trace provider GUID | String | The GUID of the event source to monitor. For example, entering "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" would monitor events from Microsoft Windows Defender. |
| Event IDs | Integer list | A list of event IDs to monitor. |
No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
ETW settings modified
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user executes a command to tamper with Event Tracing for Windows settings.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1562 (Impair Defenses)
attack.mitre.org/techniques/T1562/ |
T1562.006 (Indicator Blocking)
attack.mitre.org/techniques/T1562/006/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Executable run with invalid signature
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 5.2.3 or later
Detects when a user runs an executable file or binary that has an invalid signature.
|
|
Subsequent detections and actions for the same binary will not be generated until at least 30 seconds after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Signature parameters | ||
| Prohibit unsigned binaries | Boolean | The toggle to prohibit unsigned binaries. If this is enabled and the name of the unsigned binary is not in the "Authorized binary names" list, a detection will be generated. |
| Prohibit unverified binaries | Boolean | The toggle to prohibit signed but unverified binaries. If this is enabled and the name of the unverified binary is not in the "Authorized binary names" list, a detection will be generated. |
| Certificate signers | Advanced asset list | A list of authorized or unauthorized certificate signers' Common Names (CN). If the certificate signer is unauthorized and the binary name is not in the "Authorized binary names" list, a detection will be generated. Case-insensitive matching is used. |
| Process parameters | ||
| Authorized binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized to run with an invalid signature. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1036 (Masquerading)
attack.mitre.org/techniques/T1036/ |
T1036.001 (Invalid Code Signature)
attack.mitre.org/techniques/T1036/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Incoming port scan performed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.5 or later
Detects when an excessive number of unexpected TCP packets (defined by the transmission of a RST packet) arrive at a host within a given time window, indicating an incoming port scan attack.
|
|
Subsequent detections and actions for the same local and remote address will not be generated until the configured time window has elapsed. |
| Parameter | Type | Description |
|---|---|---|
| Remote address parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) authorized or unauthorized to perform port scans on host. |
| Local port parameters | ||
| Local port number upper bound | Integer | The upper bound on local port numbers to consider when detecting incoming port scanning. For example, to consider ports 1-1024, you would enter 1024. |
| Maximum permitted local ports | Integer | The maximum number of local ports that can be connected to during the given time window. |
| Time window parameters | ||
| Time window (in seconds) | Integer | The number of seconds during which port usage is counted. |
| Packet parameters | ||
| Maximum permitted TCP Reset (RST) packets | Integer | The maximum number of RST packets that can be transmitted from local ports within the specified range during the given time window. |
| Maximum permitted dropped TCP packets | Integer | The maximum number of dropped packets that can be transmitted to local ports within the specified range during the given time window. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0007 (Discovery)
attack.mitre.org/tactics/TA0007/ |
T1046 (Network Service Discovery)
attack.mitre.org/techniques/T1046/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by source IP | Disabled |
| Cluster by destination IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Linux FortiDLP Agent tampered with
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Linux, Agent version 7.4.3 or later
Detects when a user tampers with the Linux FortiDLP Agent or FortiDLP Browser Extension.
|
|
Subsequent detections and actions for the same FortiDLP component will not be generated until at least one week after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. gedit) authorized or unauthorized to read or modify FortiDLP Agent data. Case-insensitive matching is used. |
| Binary paths | Advanced asset list | A list of binary paths authorized or unauthorized to read or modify FortiDLP Agent data. The match can use glob-style pattern matching rules (e.g. /home/*/Downloads/** would match all applications under the Downloads folder or all users). Case-insensitive matching is used. |
| Called paths | Advanced asset list | A list of regular expressions matching called paths of processes that are authorized or unauthorized to read or modify FortiDLP Agent data (e.g. .*compattelrunner\.exe -maintenance). |
| Tampering parameters | ||
| Tampering actions to monitor | String list | A list of tampering actions to monitor for both the FortiDLP Agent and FortiDLP Browser Extension. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1562 (Impair Defenses)
attack.mitre.org/techniques/T1562/ |
T1562.001 (Disable or Modify Tools)
attack.mitre.org/techniques/T1562/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
MacOS FortiDLP Agent tampered with
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: macOS, Agent version 7.7.4 or later
Detects when a user tampers with the MacOS FortiDLP Agent or FortiDLP Browser Extension.
|
|
Subsequent detections and actions for the same FortiDLP component will not be generated until at least one week after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. TextEdit.app) authorized or unauthorized to read or modify FortiDLP Agent data. Case-insensitive matching is used. |
| Binary paths | Advanced asset list | A list of binary paths authorized or unauthorized to read or modify FortiDLP Agent data. The match can use glob-style pattern matching rules (e.g. /Users/*/Downloads/** would match all applications under the Downloads folder or all users). Case-insensitive matching is used. |
| Called paths | Advanced asset list | A list of regular expressions matching called paths of processes that are authorized or unauthorized to read or modify FortiDLP Agent data (e.g. .*compattelrunner\.exe -maintenance). |
| Tampering parameters | ||
| Tampering actions to monitor | String list | A list of tampering actions to monitor for both the FortiDLP Agent and FortiDLP Browser Extension. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1562 (Impair Defenses)
attack.mitre.org/techniques/T1562/ |
T1562.001 (Disable or Modify Tools)
attack.mitre.org/techniques/T1562/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Malicious PowerShell script executed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 6.0.3 or later
Detects when a user executes a malicious PowerShell script.
|
|
To use this policy you must enable the Windows "PowerShell Script Block Logging" group policy, see https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging for details. |
Malicious scripts are determined by the presence of commands frequently found in hacking tools such as Nishang and Mimikatz. The following PowerShell commands are considered to be malicious:
add-exfiltrationfound in Nishang, data exfiltration.add-persistencefound in Nishang, persistence.add-scrnsavebackdoorfound in Nishang, added screen saver debugger.copy-vssfound in Nishang, credential dumping.create-multiplesessionsfound in Nishang, credential spraying.create-remotethreadfound in process embedding, shellcode injection.disable-securitysettingsfound in Powershell Empire, security settings changed.dns_txt_pwnagefound in Nishang, backdoor attack.execute-ontimefound in Nishang, execution at specific time.find-trusteddocumentsfound in Powershell Empire, file reconnaissance.get-browserinformationfound in Powershell Empire, browser enumeration.get-chromedumpfound in Powershell Empire, Google Chrome password enumeration.get-foxdumpfound in Powershell Empire, Firefox password enumeration.get-gpppasswordfound in Powershell Empire, credential dumping.get-modifiableservicefound in PowerUp, privilege escalation.get-modifiableservicefilefound in PowerUp, privilege escalation.get-keystrokesfound in Powershell Empire, keylogging.get-lsasecretfound in Nishang, Windows Local Security Authority (LSA) secret extraction.get-passhashesfound in Nishang, credential dumping.get-passhintsfound in Nishang, credential dumping.get-passpolfound in Discovery, getting password policy.get-screenshotfound in Powershell Empire, screen capture.get-serviceunquotedfound in PowerUp, privilege escalation.get-sitelistpasswordfound in Powershell Empire, credential dumping.get-systemfound in Powershell Empire, privilege escalation.get-usbkeystrokesfound in Powershell Empire, keylogging.get-vaultcredentialfound in Powershell Empire, Windows Vault credential dumping.get-webcredentialsfound in Nishang, Windows Vault credential dumping.get-wlan-keysfound in Nishang, wireless credential dumping.gupt-backdoorfound in Nishang, backdoor attack.http-backdoorfound in Nishang, backdoor attack.invoke-adsbackdoorfound in Nishang, alternate data stream persistence.invoke-allchecksfound in PowerUp, privilege escalation.invoke-amsibypassfound in Nishang, Windows Anti-Malware Scan Interface (AMSI) bypass.invoke-bloodhoundfound in Bloodhound, network reconnaissance.invoke-bypassuacfound in Powershell Empire, privilege escalation.invoke-bypassuactokenmanipulationfound in Powershell Empire, privilege escalation.invoke-credentialinjectionfound in Powershell Empire, credential injection.invoke-credentialsphishfound in Nishang, credential phishing.invoke-dcomfound in Powershell Empire, lateral movement.invoke-dcsyncfound in Powershell Empire, credential dumping.invoke-dllinjectionfound in Powershell Empire, Windows Dynamic Link Library (DLL) injection.invoke-egresscheckfound in Powershell Empire, firewall testing.invoke-enumeratelocaladminfound in PowerView, user reconnaissance.invoke-envbypassfound in Powershell Empire, Windows User Account Control (UAC) bypass.invoke-eventvwrbypassfound in Powershell Empire, User Account Control (UAC) bypass.invoke-executemsbuildfound in Powershell Empire, lateral movement.invoke-exfildatatogithubfound in Powershell Empire, data exfiltration.invoke-filefinderfound in PowerView, file reconnaissance.invoke-fodhelperbypassfound in Powershell Empire, User Account Control (UAC) bypass.invoke-inveighfound in Powershell Empire, man-in-the-middle (MITM) attack.invoke-inveighrelayfound in Powershell Empire, lateral movement.invoke-kerberoastfound in Powerview, credential dumping.invoke-mimikatzfound in Mimikatz, credential dumping.invoke-mimikatzwdigestdowngradefound in Mimikatz, credential dumping.invoke-mimikittenzfound in Mimikittenz, credential dumping.invoke-ms16032found in Powershell Empire, User Account Control (UAC) bypass.invoke-ms16135found in Powershell Empire, User Account Control (UAC) bypass.invoke-netripperfound in Powershell Empire, network traffic interceptor.invoke-networkrelayfound in Nishang, port forwarding.invoke-ninjacopyfound in Powershell Empire, data exfiltration.invoke-postexfilfound in Powershell Empire, data exfiltration.invoke-powerdumpfound in Powershell Empire, credential dumping.invoke-powershellwmifound in Nishang, Windows Management Instrumentation (WMI) shell.invoke-psexecfound in Powershell Empire, lateral movement.invoke-psinjectfound in Powershell Empire, Windows Dynamic Link Library (DLL) injection.invoke-psuacmefound in Nishang, User Account Control (UAC) bypass.invoke-reflectivepeinjectionfound in process reflective loading, PowerSploit embedding.invoke-runasfound in Powershell Empire, run as clone without Microsoft Group Policy Object (GPO) path restrictions.invoke-sdcltbypassfound in Powershell Empire, User Account Control (UAC) bypass.invoke-sessiongopherfound in SessionGopher, application credential dumping.invoke-sharefinderfound in PowerView, share reconnaissance.invoke-shellcodefound in Powershell Empire, shellcode injection.invoke-shellcodemsilfound in Powershell Empire, shellcode injection.invoke-smbexecfound in Powershell Empire, lateral movement.invoke-sqloscmdfound in Powershell Empire, lateral movement.invoke-sshcommandfound in Powershell Empire, lateral movement.invoke-ssidexfilfound in Nishang, credential dumping.invoke-taterfound in Powershell Empire, privilege escalation.invoke-tokenmanipulationfound in Powershell Empire, user impersonation.invoke-vncfound in Powershell Empire, Virtual Network Computing (VNC) sideloading.invoke-wscriptbypassuacfound in Powershell Empire, User Account Control (UAC) bypass.keyloggerfound in Nishang, keylogging.out-minidumpfound in Powershell Empire, memory minidump.run-exeonremotefound in Nishang, executable dropper.set-dcshadowpermissionsfound in Nishang, privilege escalation.set-powerstegofound in exfiltration steganography.set-remotepsremotingfound in Nishang, PSRemoting backdoor attack.set-remotewmifound in Nishang, Windows Management Instrumentation (WMI) backdoor attack.show-targetscreenfound in Nishang, screen capture.start-tcpmonitorfound in Powershell Empire, network traffic monitoring.unblock-filefound in unblocking internet downloaded files.
| Parameter | Type | Description |
|---|---|---|
| File parameters | ||
| Script paths | Advanced asset list | A list of script file paths that are authorized or unauthorized to run all Powershell commands. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would ignore all files in the Shared folder under users' home directories). Case-insensitive matching is used. |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to run any Powershell command. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of patterns for matching UIDs authorized or unauthorized to run any Powershell command. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to run any Powershell command. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
T1059 (Command and Scripting Interpreter)
attack.mitre.org/techniques/T1059/ |
T1059.001 (PowerShell)
attack.mitre.org/techniques/T1059/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by filename | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Malicious USB device inserted
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Detects when a user inserts a malicious USB device.
Malicious devices are determined by the USB device serial number, VID, and PID. The following devices are considered to be malicious:
- Bash Bunny, with serial number 12345678 or VID:PID f000:fff0, f000:ff01, f000:ff02, f000:ff03, f000:ff04, f000:ff05, f000:ff06, f000:ff07, f000:ff08, f000:ff09, f000:ff10, f000:ff11, f000:ff12, f000:ff13, f000:ff14, f000:ff20, f000:ff21, f000:1234, 05ac:021e.
- LAN Turtle, with VID:PID 0bda:8152.
- Rubber Ducky, with VID:PID 0bda:8152.
- Teensy device, with VID:PID 16c0:047c, 16c0:047d, 16c0:047e, 16c0:047f, 16c0:0480, 16c0:0481, 16c0:0482, 16c0:0486, 16c0:0487.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1091 (Replication Through Removable Media)
attack.mitre.org/techniques/T1091/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by USB identifier | Enabled |
| Cluster by USB serial number | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Multiple user account modifications
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.2.0 or later
Detects when a single user account makes multiple account modifications in a configurable time window
| Parameter | Type | Description |
|---|---|---|
| Event type parameters | ||
| Monitor event types | String list | A list of user account event types to monitor. |
| Monitor only new accounts | Boolean | The toggle to enable/disable monitoring only those events created by recently created accounts. |
| New accounts time window (in minutes) | Integer | The number of minutes after creation for which an account is considered new. |
| Responsible user parameters | ||
| Ignore modifications to own account | Boolean | The toggle to enable/disable monitoring events where the modifying account is also the target account. |
| Account types | String list | A list of user account types to monitor. This parameter specifies the type of the responsible account, not the target account. |
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to modify user accounts. Case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| User security identifiers (SID) | Advanced asset list | A list of patterns for matching UIDs authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the UID of the responsible account, not the target account. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| Time window parameters | ||
| Modification count threshold | Integer | The maximum number of user account modification events authorized during the given time window. |
| Time window (in minutes) | Integer | The number of minutes during which user account modifications are counted. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1098 (Account Manipulation)
attack.mitre.org/techniques/T1098/ |
|
|
TA0004 (Privilege Escalation)
attack.mitre.org/tactics/TA0004/ |
T1098 (Account Manipulation)
attack.mitre.org/techniques/T1098/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
New application installed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.2.0 or later
Detects when a new application is installed.
| Parameter | Type | Description |
|---|---|---|
| Application parameters | ||
| Application names | Advanced asset list | A list of application names (e.g. Office) that are authorized or unauthorized to be installed. Case-insensitive matching is used. Full regular expression (regex) grammar is supported. |
| Publishers | Advanced asset list | A list of application publishers (e.g. Microsoft Corporation), from which all application are authorized or unauthorized to be installed. Case-insensitive matching is used. Full regular expression (regex) grammar is supported. |
| Registry key parameters | ||
| Registry key subscriptions | String list | A list of monitored registry keys related to installing applications. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
|
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
New application run
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 6.0.3 or later
Detects when an application is run for the first time.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Authorized binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) that are allowed to run. Case-insensitive matching is used. Populate this list with the names of new applications that can be run after the training period concludes without generating a detection. |
| Machine learning parameters | ||
| Training period (days) | Integer | The time period (in days) during which a list of applications typically run on a node are learned. No detections will be generated during this period. The FortiDLP Agent will continue to learn from application activity after this period. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
|
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
New DNS server used
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 7.7.1 or later
Detects when a node uses a new DNS server.
| Parameter | Type | Description |
|---|---|---|
| DNS server parameters | ||
| IP addresses | Advanced asset list | A list of DNS server IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) that the node is authorized to query. |
| Machine learning parameters | ||
| Training period (days) | Integer | The time period (in days) during which the list of DNS servers typically used by a node are learned. No detections will be generated during this period. The FortiDLP Agent will continue to learn from DNS activity after this period. |
| Ignore agents that frequently change DNS server | Boolean | The toggle to enable/disable reporting nodes that frequently use new DNS servers. If enabled, detections will not be generated during periods of transient DNS server use. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0011 (Command and Control)
attack.mitre.org/tactics/TA0011/ |
T1071 (Application Layer Protocol)
attack.mitre.org/techniques/T1071/ |
T1071.004 (DNS)
attack.mitre.org/techniques/T1071/004/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by destination IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Outgoing port scan performed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.5 or later
Detects when an excessive number of remote ports are connected to within a given time window, indicating an outgoing port scan attack.
|
|
Subsequent detections and actions for the same local and remote address will not be generated until until the configured time window has elapsed. |
| Parameter | Type | Description |
|---|---|---|
| Remote address parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) authorized or unauthorized to have port scans performed. |
| Remote port parameters | ||
| Remote port number upper bound | Integer | The upper bound on remote port numbers to consider when detecting outgoing port scanning. For example, to consider ports 1-1024, you would enter 1024. |
| Maximum permitted remote ports | Integer | The maximum number of remote ports that can be connected to during the given time window. |
| Time window parameters | ||
| Time window (in seconds) | Integer | The number of seconds during which port usage is counted. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0007 (Discovery)
attack.mitre.org/tactics/TA0007/ |
T1046 (Network Service Discovery)
attack.mitre.org/techniques/T1046/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by destination IP | Disabled |
| Cluster by source IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Potential AD reconnaissance attack detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when reconnaissance is performed against a privileged user or group in Active Directory (AD).
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0007 (Discovery)
attack.mitre.org/tactics/TA0007/ |
T1087 (Account Discovery)
attack.mitre.org/techniques/T1087/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Enabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Potential Pass-the-Hash attack detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects a login that is symptomatic of a Pass-the-Hash (PtH) attack.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1550 (Use Alternate Authentication Material)
attack.mitre.org/techniques/T1550/ |
T1550.002 (Pass the Hash)
attack.mitre.org/techniques/T1550/002/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Potential privilege escalation attack detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user runs an application with administrator privileges.
|
|
To use this policy, you must enable the Windows "Audit Process Creation" group policy and select the "Success" option. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. consent.exe) for which privilege escalation is authorized or unauthorized. Case-insensitive matching is used. |
| Parent binary names | Advanced asset list | A list of parent process binary names (e.g. consent.exe) for which child processes are authorized or unauthorized for privilege escalation. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0004 (Privilege Escalation)
attack.mitre.org/tactics/TA0004/ |
T1078 (Valid Accounts)
attack.mitre.org/techniques/T1078/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Potential Sticky Key backdoor attack detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.0 or later
Detects when a user changes the Windows Sticky Keys registry.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1546 (Event Triggered Execution)
attack.mitre.org/techniques/T1546/ |
T1546.008 (Accessibility Features)
attack.mitre.org/techniques/T1546/008/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Potential WCE Pass-the-Hash attack detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects a login using Windows Credential Editor that is symptomatic of a Pass-the-Hash (PtH) attack.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1550 (Use Alternate Authentication Material)
attack.mitre.org/techniques/T1550/ |
|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1550 (Use Alternate Authentication Material)
attack.mitre.org/techniques/T1550/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Enabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Potential Windows RDP BlueKeep attack detected
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects indicators of a Windows Remote Desktop Protocol BlueKeep attack (CVE-2019-0708).
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1210 (Exploitation of Remote Services)
attack.mitre.org/techniques/T1210/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
PowerShell script block logging disabled
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.0 or later
Detects when a user disables PowerShell script block logging.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1562 (Impair Defenses)
attack.mitre.org/techniques/T1562/ |
T1562.003 (Impair Command History Logging)
attack.mitre.org/techniques/T1562/003/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Process run with unauthorized called path
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Detects when a process is run with an unauthorized called path.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. cmd.exe) users are authorized or unauthorized to run. Case-insensitive matching is used. If this is left empty, no detections will be generated and all processes will be allowed. |
| Called paths | Advanced asset list | A list of regular expressions matching binary called paths (e.g. rm -rf .*) that are authorized or unauthorized to run. If this is left empty, no detections will be generated and all processes will be allowed. |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to run unauthorized processes. Case-insensitive matching is used. |
| User identifier patterns | Advanced asset list | A list of patterns for matching user identifiers (SID on Windows and UID on Linux and macOS) that are authorized or unauthorized to run unauthorized processes. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to run unauthorized processes. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
|
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by called path | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process
Profiles tool used
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: macOS, Agent version 7.2.0 or later
Detects when the /usr/bin/profiles command is used to install, remove, or otherwise handle configuration profiles.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Called paths | Advanced asset list | A list of regular expressions matching authorized or unauthorized usage of the profiles tool if they match the called path. For example, to prohibit the "/usr/bin/profiles install -path /example.mobileconfig" command, enter "install" (without the double quotes) and selected the "Prohibit listed called paths" behavior. The match is case-sensitive. Note: An empty list matches all uses of the profiles tool. |
| Parent process parameters | ||
| Binary names | Advanced asset list | A list of binary names that are authorized or unauthorized to run the profiles tool (e.g. jamf-pro.exe). Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1546 (Event Triggered Execution)
attack.mitre.org/techniques/T1546/ |
T1546.004 (Unix Shell Configuration Modification)
attack.mitre.org/techniques/T1546/004/ |
|
TA0004 (Privilege Escalation)
attack.mitre.org/tactics/TA0004/ |
T1546 (Event Triggered Execution)
attack.mitre.org/techniques/T1546/ |
T1546.004 (Unix Shell Configuration Modification)
attack.mitre.org/techniques/T1546/004/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by called path | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
RDP connection made over reverse SSH tunnel
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a Remote Desktop Protocol connection is made over a reverse SSH tunnel.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
T1021.001 (Remote Desktop Protocol)
attack.mitre.org/techniques/T1021/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by destination IP | Enabled |
| Cluster by source IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
RDP login made from localhost
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects a localhost tunneled Remote Desktop Protocol login.
| Parameter | Type | Description |
|---|---|---|
| Responsible user parameters | ||
| Responsible usernames | Advanced asset list | A list of usernames authorized or unauthorized to use Windows Remote Desktop. Case-insensitive matching is used. |
| Responsible username patterns | Advanced asset list | A list of patterns for matching usernames authorized or unauthorized to use Windows Remote Desktop. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Target user parameters | ||
| Target usernames | Advanced asset list | A list of usernames authorized or unauthorized be the target of Windows Remote Desktop. Case-insensitive matching is used. |
| Target username patterns | Advanced asset list | A list of patterns for matching usernames authorized or unauthorized to be the target of Windows Remote Desktop. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Registry startup items added
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.0 or later
Detects when a process adds a registry startup item.
| Parameter | Type | Description |
|---|---|---|
| Startup item parameters | ||
| Startup items | Advanced asset list | A list of startup items that are authorized or unauthorized to be installed. Case-insensitive matching is used. Full regular expression (regex) grammar is supported. |
| Responsible process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. MsMpEng.exe) authorized or unauthorized to add startup items. Case-insensitive matching is used. |
| Registry key parameters | ||
| Registry key subscriptions | Advanced asset list | A list of registry keys to monitor related to startup item changes. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1547 (Boot or Logon Autostart Execution)
attack.mitre.org/techniques/T1547/ |
T1547.001 (Registry Run Keys / Startup Folder)
attack.mitre.org/techniques/T1547/001/ |
|
TA0004 (Privilege Escalation)
attack.mitre.org/tactics/TA0004/ |
T1547 (Boot or Logon Autostart Execution)
attack.mitre.org/techniques/T1547/ |
T1547.001 (Registry Run Keys / Startup Folder)
attack.mitre.org/techniques/T1547/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by called path | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Registry value changed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.0 or later
Detects when a process modifies a registry value.
| Parameter | Type | Description |
|---|---|---|
| Registry key parameters | ||
| Registry key value subscriptions | Advanced asset list | A list of registry key values to monitor. To monitor all values at a given key use "*", for example, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* would monitor all values in the Run subkey, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Example would monitor only the Example value. |
| Registry value data | Advanced asset list | A list of value data, in <value name>=<value data> format, that is authorized or unauthorized to be configured. For example DisplayName=Example would match the registry value with name DisplayName and data Example. To match all value names use "*", for example *=Example would match any registry value with data Example. |
| Registry action parameters | ||
| Monitor creation | Boolean | The toggle to enable/disable detection of registry value creation. |
| Monitor modification | Boolean | The toggle to enable/disable detection of registry value changes. |
| Monitor deletion | Boolean | The toggle to enable/disable detection of registry value deletion. |
| Responsible process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. MsMpEng.exe) authorized or unauthorized to modify registry values. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1112 (Modify Registry)
attack.mitre.org/techniques/T1112/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Remote Desktop connection received
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.5 or later
Detects when a node receives a Windows Remote Desktop connection.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to use Windows Remote Desktop. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to use Windows Remote Desktop. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) authorized or unauthorized to use Windows Remote Desktop on host. |
| Detection parameters | ||
| Rate limit (minutes) | Integer | The minimum time (in minutes) between consecutive detections for Remote Desktop sessions from the same source and user. Set to 0 to disable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by source IP | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Remote Desktop session enabled
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.5 or later
Detects when a user enables a Windows Remote Desktop service.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Root certificate installed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 6.0.5 or later
Detects when a user adds a root certificate to the system.
|
|
Subsequent detections and actions for the same signature will not be generated until at least 30 seconds after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Certificate parameters | ||
| Certificate signatures | Advanced asset list | A list of certificate signatures that are authorized or unauthorized to be added to the system. Case-insensitive matching is used. |
| Certificate subjects | Advanced asset list | A list of certificate subjects that are authorized or unauthorized to be added to the system. Full regular expression (regex) grammar is supported. |
| Registry key parameters | ||
| Registry key subscriptions | String list | A list of monitored registry keys related to installing root certificates. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1553 (Subvert Trust Controls)
attack.mitre.org/techniques/T1553/ |
T1553.004 (Install Root Certificate)
attack.mitre.org/techniques/T1553/004/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by certificate name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Root certificate security settings changed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.0 or later
Detects when a user changes root certificate security settings.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1553 (Subvert Trust Controls)
attack.mitre.org/techniques/T1553/ |
T1553.004 (Install Root Certificate)
attack.mitre.org/techniques/T1553/004/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Enabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Ruler hacking tool used
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user uses the Ruler hacking tool.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1137 (Office Application Startup)
attack.mitre.org/techniques/T1137/ |
|
|
TA0007 (Discovery)
attack.mitre.org/tactics/TA0007/ |
T1087 (Account Discovery)
attack.mitre.org/techniques/T1087/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Suspicious Windows commands executed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user executes multiple suspicious commands within a given time period.
|
|
Subsequent detections and actions for the same user will not be generated until at least one hour after the first detection. |
| Parameter | Type | Description |
|---|---|---|
| Execution count parameters | ||
| Time window (in minutes) | Integer | The number of minutes during which the maximum suspicious command execution count is applied. |
| Maximum permitted suspicious command executions | Integer | The maximum number of suspicious command executions allowed during the given time period. |
| Process parameters | ||
| Suspicious binary names | Advanced asset list | A list of suspicious binary names. Case-insensitive matching is used. |
| Suspicious binary SHA-256 hashes | Advanced asset list | A list of suspicious binary SHA-256 hashes. Case-insensitive matching is used. |
| Suspicious application IDs | Advanced asset list | A list of suspicious binary application identifiers. Case-insensitive matching is used. |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to run unauthorized suspicious commands. Case-insensitive matching is used. |
| User identifier patterns | Advanced asset list | A list of patterns for matching user identifiers (SID on Windows and UID on Linux and macOS) that are authorized or unauthorized to run suspicious commands. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to run suspicious commands. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Parent process parameters | ||
| Binary names | Advanced asset list | A list of binary names that are authorized or unauthorized to run suspicious commands (e.g. chrome.exe). Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
|
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
System time modified
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user modifies the system time.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to modify system time. Case-insensitive matching is used. |
| Binary paths | Advanced asset list | A list of file path expressions matching binaries authorized or unauthorized to modify system time. The match can use glob-style pattern matching rules (e.g. C:\Windows\** would match all files in the Windows folder). Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1070 (Indicator Removal)
attack.mitre.org/techniques/T1070/ |
T1070.006 (Timestomp)
attack.mitre.org/techniques/T1070/006/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Unauthorized application used
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Detects when an unauthorized application is run. A detection will be generated if an unauthorized child process is run by an unauthorized parent process, unless the "Allow admin to run application" toggle is enabled and it is run with admin privileges.
| Parameter | Type | Description |
|---|---|---|
| Application parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) users are authorized or unauthorized to run. Case-insensitive matching is used. |
| Application IDs | Advanced asset list | A list of process metadata application identifiers (e.g. v1.com.google.Chrome) users are authorized or unauthorized to run. Case-insensitive matching is used. |
| Applications rule | String | The rule to apply for monitoring application usage. For example, choosing "Allow listed applications" would allow users to run all applications except those specified in the "Applications" list. Choosing "Prohibit listed applications" would only prohibit applications specified in the "Applications" list parameter. |
| Applications | Asset list | A list of predefined applications to which the "Applications rule" is applied. |
| User parameters | ||
| Ignore administrator accounts | Boolean | A toggle to enabled/disable reporting local or system administrator accounts. If enabled, a detection will not be generated if a local or system administrator account runs an unauthorized application. Note: This toggle only checks for admin privileges on Windows platforms. |
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to run unauthorized applications. Case-insensitive matching is used. |
| User identifier patterns | Advanced asset list | A list of patterns for matching user identifiers (SID on Windows and UID on Linux and macOS) that are authorized or unauthorized to run unauthorized applications. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to run unauthorized applications. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Parent process parameters | ||
| Binary names | Advanced asset list | A list of parent process binary names (e.g. explorer.exe) authorized or unauthorized to run unauthorized applications. Case-insensitive matching is used. |
| Called paths | Advanced asset list | A list of regular expressions matching called paths of parent processes that are authorized or unauthorized to run unauthorized applications (e.g. .*compattelrunner\.exe -maintenance). |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
|
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process
Unauthorized PowerShell command executed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 6.0.3 or later
Detects when an unauthorized PowerShell command is executed.
|
|
Subsequent detections and actions for repeated executions of the same command will not be generated until at least 30 seconds after the first detection/action. |
|
|
To use this policy you must enable the Windows "PowerShell Script Block Logging" group policy, see https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging for details. |
| Parameter | Type | Description |
|---|---|---|
| Command parameters | ||
| Unauthorized command patterns | Advanced asset list | A list of command patterns that users are unauthorized to run in Powershell. Full regular expression (regex) grammar is supported. For example, entering "Read-S3Object (.* )?-BucketName Confidential( .*)?" would match Read-S3Object commands that read from an S3 bucket named Confidential. |
| File parameters | ||
| Script paths | Advanced asset list | A list of script file paths that are authorized or unauthorized to run all Powershell commands. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would ignore all files in the Shared folder under users' home directories). Case-insensitive matching is used. |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to run any Powershell command. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of patterns for matching UIDs authorized or unauthorized to run any Powershell command. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to run any Powershell command. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
T1059 (Command and Scripting Interpreter)
attack.mitre.org/techniques/T1059/ |
T1059.001 (PowerShell)
attack.mitre.org/techniques/T1059/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
User account created and deleted in the same session
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.2.0 or later
Detects when a user account creates and deletes another account during the same session.
| Parameter | Type | Description |
|---|---|---|
| Responsible user parameters | ||
| Account types | String list | A list of user account types to monitor. This parameter specifies the type of the responsible account, not the target account. |
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to modify user accounts. Case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| User security identifiers (SID) | Advanced asset list | A list of patterns for matching UIDs authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the UID of the responsible account, not the target account. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| Session parameters | ||
| Session duration (in minutes) | Integer | The maximum number of minutes between account creation and deletion events for them to be considered to have happened in the same session. Note: If set to 0 then the session length will not be determined by a fixed duration, instead the start and end of a session will be determined by user login and logout events. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1136 (Create Account)
attack.mitre.org/techniques/T1136/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
User account modified
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.2.0 or later
Detects when a user account is modified.
| Parameter | Type | Description |
|---|---|---|
| Event type parameters | ||
| Monitor event types | String list | A list of user account event types to monitor. |
| Monitor only new accounts | Boolean | The toggle to enable/disable monitoring only those events created by recently created accounts. |
| New accounts time window (in minutes) | Integer | The number of minutes after creation for which an account is considered new. |
| Monitor only first account modification | Boolean | The toggle to enable/disable monitoring only those accounts that have not previously modified any accounts. |
| First account modification training period (in days) | Integer | The time period (in days) during which no first account modification detections will be generated. |
| Inactivity limit (in days) | Integer | The maximum time between consecutive account modifications before an account is treated like it has never made any previous account modifications. Once this time has elapsed, any further account modifications will result in a detection. If set to 0 then this behavior is ignored and only the first account modification will result in a detection. |
| Responsible user parameters | ||
| Ignore modifications to own account | Boolean | The toggle to enable/disable monitoring events where the modifying account is also the target account. |
| Account types | String list | A list of user account types to monitor. This parameter specifies the type of the responsible account, not the target account. |
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to modify user accounts. Case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| User security identifiers (SID) | Advanced asset list | A list of patterns for matching UIDs authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the UID of the responsible account, not the target account. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1098 (Account Manipulation)
attack.mitre.org/techniques/T1098/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
User account modified outside office hours
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.2.0 or later
Detects when a user account is modified outside of expected working hours.
| Parameter | Type | Description |
|---|---|---|
| Event type parameters | ||
| Monitor event types | String list | A list of user account event types to monitor. |
| Monitor only new accounts | Boolean | The toggle to enable/disable monitoring only those events created by recently created accounts. |
| New accounts time window (in minutes) | Integer | The number of minutes after creation for which an account is considered new. |
| Responsible user parameters | ||
| Ignore modifications to own account | Boolean | The toggle to enable/disable monitoring events where the modifying account is also the target account. |
| Account types | String list | A list of user account types to monitor. This parameter specifies the type of the responsible account, not the target account. |
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to modify user accounts. Case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| User security identifiers (SID) | Advanced asset list | A list of patterns for matching UIDs authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the UID of the responsible account, not the target account. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to modify user accounts. Full regular expression (regex) grammar is supported and case-insensitive matching is used. This parameter specifies the username of the responsible account, not the target account. |
| Expected hours parameters | ||
| List of days off | String list | A list of non-working days. This list can be empty, which would indicate that every day of the week is a working day. |
| Start time | String | The start time of the work day in 24-hour format (HH:MM). Times are in the FortiDLP Agent's local timezone. |
| End time | String | The end time of the work day in 24-hour format (HH:MM). Times are in the FortiDLP Agent's local timezone. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0003 (Persistence)
attack.mitre.org/tactics/TA0003/ |
T1098 (Account Manipulation)
attack.mitre.org/techniques/T1098/ |
|
|
TA0004 (Privilege Escalation)
attack.mitre.org/tactics/TA0004/ |
T1098 (Account Manipulation)
attack.mitre.org/techniques/T1098/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
User added to local security-enabled group
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user is added to a local security-enabled group, which could indicate privilege abuse.
| Parameter | Type | Description |
|---|---|---|
| Group parameters | ||
| Groups | Advanced asset list | A list of groups in Domain\Groupname format to which users are authorized or unauthorized to be added. Case-insensitive matching is used. |
| Group patterns | Advanced asset list | A list of patterns for matching groups in Domain\Groupname format to which users are authorized or unauthorized to be added. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Responsible user parameters | ||
| Usernames | Advanced asset list | A list of usernames in Domain\Username format authorized or unauthorized to make changes to a group. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames in Domain\Username format that are authorized or unauthorized to make changes to a group. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0004 (Privilege Escalation)
attack.mitre.org/tactics/TA0004/ |
T1548 (Abuse Elevation Control Mechanism)
attack.mitre.org/techniques/T1548/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Windows audit policy removed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user removes a Windows audit policy.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1562 (Impair Defenses)
attack.mitre.org/techniques/T1562/ |
T1562.002 (Disable Windows Event Logging)
attack.mitre.org/techniques/T1562/002/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Windows FortiDLP Agent tampered with
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.6.2 or later
Detects when a user tampers with the Windows FortiDLP Agent or FortiDLP Browser Extension.
|
|
Subsequent detections and actions for the same FortiDLP component will not be generated until at least one week after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. notepad.exe) authorized or unauthorized to read or modify FortiDLP Agent data. Case-insensitive matching is used. |
| Binary paths | Advanced asset list | A list of binary paths authorized or unauthorized to read or modify FortiDLP Agent data. The match can use glob-style pattern matching rules (e.g. C:\Program Files (x86)\Google\** would match all applications under the Google folder). Case-insensitive matching is used. |
| Called paths | Advanced asset list | A list of regular expressions matching called paths of processes that are authorized or unauthorized to read or modify FortiDLP Agent data (e.g. .*compattelrunner\.exe -maintenance). |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to read or modify FortiDLP Agent data. Case-insensitive matching is used. |
| User identifier patterns | Advanced asset list | A list of patterns for matching user identifiers (SID on Windows and UID on Linux and macOS) that are authorized or unauthorized to read or modify FortiDLP Agent data. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to read or modify FortiDLP Agent data. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tampering parameters | ||
| Tampering activity to monitor | String list | A list of tampering activities to monitor for both the FortiDLP Agent and FortiDLP Browser Extension. Note: The "Service tampering" option enables monitoring of the Agent service being stopped and requires Agent anti-tampering to be enabled. For instructions, refer to the FortiDLP Administration Guide. Additionally, service tampering detection via PowerShell commands requires the "PowerShell Script Block Logging" group policy to be enabled. For instructions, go to https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging. |
| File and registry tampering operations to monitor | String list | A list of tampering operations to monitor for both the FortiDLP Agent and FortiDLP Browser Extension, applicable to files and registry data. Note: If Agent anti-tampering is enabled, delete operations will be reported as write operations in detections. For this reason, if you want to monitor "Delete" operations, ensure the "Write" value is also selected. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1562 (Impair Defenses)
attack.mitre.org/techniques/T1562/ |
T1562.001 (Disable or Modify Tools)
attack.mitre.org/techniques/T1562/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Windows PSRemoting enabled
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.5 or later
Detects when a user enables PSRemoting.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Enabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Windows PSRemoting used
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.2.5 or later
Detects when a user uses PSRemoting.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames (in Domain\Username format) authorized or unauthorized to use PSRemoting. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames in Domain\Username format that are authorized or unauthorized to use PSRemoting. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| IP parameters | ||
| IP addresses | Advanced asset list | The IPv4 or IPv6 address in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) authorized or unauthorized to use PSRemoting on the node. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0002 (Execution)
attack.mitre.org/tactics/TA0002/ |
T1059 (Command and Scripting Interpreter)
attack.mitre.org/techniques/T1059/ |
T1059.001 (PowerShell)
attack.mitre.org/techniques/T1059/001/ |
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
T1021.006 (Windows Remote Management)
attack.mitre.org/techniques/T1021/006/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by source IP | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Windows security event logs cleared
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 4.1.0 or later
Detects when a user clears Windows security event logs.
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1070 (Indicator Removal)
attack.mitre.org/techniques/T1070/ |
T1070.001 (Clear Windows Event Logs)
attack.mitre.org/techniques/T1070/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by account name | Enabled |
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Windows unauthorized service added
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.2.2 or later
Detects when a user adds a well-known malicious Windows service.
Malicious services are determined by observing Windows event tracing audit logs. The following Windows services are considered to be malicious:
- WCE SERVICE
- WCESERVICE
- DumpSvc.
| Parameter | Type | Description |
|---|---|---|
| Service parameters | ||
| Service names | Advanced asset list | A list of keywords appearing in authorized or unauthorized services. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0006 (Credential Access)
attack.mitre.org/tactics/TA0006/ |
T1003 (OS Credential Dumping)
attack.mitre.org/techniques/T1003/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by filename | Enabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot