PingID New MFA Method After Credential Reset

Status: production
Group by: action, object, src, user
Source: github.com/splunk/security_content

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098.005` Account Manipulation: Device Registration, `T1556.006` Modify Authentication Process: Multi-Factor Authentication
Privilege Escalation	`T1098.005` Account Manipulation: Device Registration
Defense Impairment	`T1556.006` Modify Authentication Process: Multi-Factor Authentication
Credential Access	`T1556.006` Modify Authentication Process: Multi-Factor Authentication, `T1621` Multi-Factor Authentication Request Generation

Event coverage

Provider	Event	Title
Security-Auditing	Event ID 4723	An attempt was made to change an account's password.
Security-Auditing	Event ID 4724	An attempt was made to reset an account's password.

Rule body splunk

name: PingID New MFA Method After Credential Reset
id: 2fcbce12-cffa-4c84-b70c-192604d201d0
version: 9
creation_date: '2023-12-20'
modification_date: '2026-05-13'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.
data_source:
    - PingID
search: "`pingid` \"result.message\" = \"*Device Paired*\" | rex field=result.message \"Device (Unp)?(P)?aired (?<device_extract>.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,\"duration\"),\"(\\d*)\\+*(\\d+):(\\d+):(\\d+)\",\"\\2 hours \\3 minutes\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`"
how_to_implement: Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.
known_false_positives: False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
references:
    - https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677
    - https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/
    - https://attack.mitre.org/techniques/T1098/005/
    - https://attack.mitre.org/techniques/T1556/006/
    - https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$.
    entity:
        field: user
        type: user
        score: 50
analytic_story:
    - Compromised User Account
    - Scattered Lapsus$ Hunters
asset_type: Identity
mitre_attack_id:
    - T1621
    - T1556.006
    - T1098.005
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: access
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log
          source: PINGID
          sourcetype: _json
      test_type: unit

Stages and Predicates

Stage 1: `search`

`pingid` "result.message" = "*Device Paired*"

Stage 2: `rex`

| rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)"

Stage 3: `eval`

| eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message'

Stage 4: `eval`

| eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract)

object =

ifisnotnull('resources{}.devicemodel')'resources{}.devicemodel'

elsedevice_extract

Stage 5: `eval`

| eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted")

action =

ifmatch('result.message', "Device Paired*")"created"

else"deleted"

Stage 6: `stats`

| stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object

Stage 7: `join`

| join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time]

Stage 8: `eval`

| eval timeDiffRaw = round(lastTime - PW_Change_Time)

Stage 9: `eval`

| eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes")

Stage 10: `search`

| `security_content_ctime(firstTime)`

Stage 11: `search`

| `security_content_ctime(lastTime)`

Stage 12: `search`

| `security_content_ctime(PW_Change_Time)`

Stage 13: `where`

| where timeDiffRaw > 0 AND timeDiffRaw < 3600

Stage 14: `search`

| `pingid_new_mfa_method_after_credential_reset_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`"result.message"`	eq	`"Device Paired"`
`EventID`	in	`4723` corpus 2 (splunk 1, kusto 1) `4724`
`timeDiffRaw`	gt	`0`
`timeDiffRaw`	lt	`3600`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

PingID New MFA Method After Credential Reset

MITRE ATT&CK coverage

Event coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `rex`

Stage 3: `eval`

Stage 4: `eval`

Stage 5: `eval`

Stage 6: `stats`

Stage 7: `join`

Stage 8: `eval`

Stage 9: `eval`

Stage 10: `search`

Stage 11: `search`

Stage 12: `search`

Stage 13: `where`

Stage 14: `search`

Indicators

Keyboard shortcuts

Search operators

PingID New MFA Method After Credential Reset

MITRE ATT&CK coverage

Event coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: rex

Stage 3: eval

Stage 4: eval

Stage 5: eval

Stage 6: stats

Stage 7: join

Stage 8: eval

Stage 9: eval

Stage 10: search

Stage 11: search

Stage 12: search

Stage 13: where

Stage 14: search

Indicators

Stage 1: `search`

Stage 2: `rex`

Stage 3: `eval`

Stage 4: `eval`

Stage 5: `eval`

Stage 6: `stats`

Stage 7: `join`

Stage 8: `eval`

Stage 9: `eval`

Stage 10: `search`

Stage 11: `search`

Stage 12: `search`

Stage 13: `where`

Stage 14: `search`