PingID New MFA Method Registered For User

Try in Splunk Security Cloud

Description

The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-09-26
• Author: Steven Dick
• ID: 892dfeaf-461d-4a78-aac8-b07e185c9bce

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1621	Multi-Factor Authentication Request Generation	Credential Access

T1556.006

Multi-Factor Authentication

Credential Access, Defense Evasion, Persistence

T1098.005

Device Registration

Persistence, Privilege Escalation

Kill Chain Phase

• Exploitation
• Installation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`pingid` "result.message"="Device Paired*" result.status="SUCCESS"   
| rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)" 
| eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' 
| eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) 
| eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") 
| stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `pingid_new_mfa_method_registered_for_user_filter`

Macros

The SPL above uses the following Macros:

• pingid
• security_content_ctime

pingid_new_mfa_method_registered_for_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• resources{}.ipaddress
• actors{}.name
• result.message
• resources{}.devicemodel
• result.status

How To Implement

Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.

Known False Positives

False positives may be generated by normal provisioning workflows for user device registration.

Associated Analytic Story

• Compromised User Account

RBA

Risk Score	Impact	Confidence	Message
10.0	20	50	An MFA configuration change was detected for [$user$], the device [$object$] was $action$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://twitter.com/jhencinski/status/1618660062352007174
• https://attack.mitre.org/techniques/T1098/005/
• https://attack.mitre.org/techniques/T1556/006/
• https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1