Techniques
Sample rules
PingID New MFA Method After Credential Reset
- source: splunk
- technicques:
- T1621
- T1556.006
- T1098.005
Description
The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.
Detection logic
`pingid` "result.message" = "*Device Paired*"
| rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)"
| eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message'
| eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract)
| eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted")
| stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object
| join type=outer user [
| search `wineventlog_security` EventID IN(4723,4724)
| eval PW_Change_Time = _time, user = upper(user)
| fields user,src_user,EventID,PW_Change_Time]
| eval timeDiffRaw = round(lastTime - PW_Change_Time)
| eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(PW_Change_Time)`
| where timeDiffRaw > 0 AND timeDiffRaw < 3600
| `pingid_new_mfa_method_after_credential_reset_filter`