| ID | Technique | Tactic |
|---|---|---|
| T1098.005 | Device Registration | Persistence |
| T1556.006 | Multi-Factor Authentication | Privilege Escalation |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
Detection: PingID New MFA Method Registered For User
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.
Search
1`pingid` "result.message"="Device Paired*" result.status="SUCCESS"
2| rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)"
3| eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message'
4| eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract)
5| eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted")
6| stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason
7| `security_content_ctime(firstTime)`
8| `security_content_ctime(lastTime)`
9| `pingid_new_mfa_method_registered_for_user_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| PingID | Other | 'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| pingid_new_mfa_method_registered_for_user_filter | search * |
pingid_new_mfa_method_registered_for_user_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | Yes |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.
Known False Positives
False positives may be generated by normal provisioning workflows for user device registration.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| An MFA configuration change was detected for [$user$], the device [$object$] was $action$. | user | user | 50 |
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| An MFA configuration change was detected for [$user$], the device [$object$] was $action$. | src | system | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | PINGID |
_json |
| Integration | ✅ Passing | Dataset | PINGID |
_json |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 8