Stolen Credentials Used to Login to Okta Account After MFA Reset

  1[metadata]
  2creation_date = "2023/11/09"
  3integration = ["endpoint", "okta"]
  4maturity = "production"
  5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
  6min_stack_version = "8.10.0"
  7updated_date = "2023/11/10"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to
 13undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.
 14"""
 15false_positives = [
 16    """
 17    A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative
 18    action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the
 19    Okta console for AD directory services integration management.
 20    """,
 21]
 22from = "now-12h"
 23index = ["filebeat-*", "logs-okta*", ".alerts-security.*", "logs-endpoint.events.*"]
 24interval = "6h"
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Stolen Credentials Used to Login to Okta Account After MFA Reset"
 28note = """## Triage and analysis
 29
 30### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset
 31
 32This rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.
 33
 34Typically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.
 35
 36#### Possible investigation steps:
 37- Identify the user account associated with the Okta login attempt by examining the `user.name` field.
 38- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.
 39- Cross-examine the Okta user and endpoint user to confirm that they are the same person.
 40- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.
 41- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.
 42
 43### False positive analysis:
 44- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.
 45
 46### Response and remediation:
 47- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.
 48- After deactivation, reset the user's password and MFA factor to regain control of the account.
 49    - Ensure that all user sessions are stopped during this process.
 50- Immediately reset the user's AD password as well if Okta does not sync back to AD.
 51- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.
 52- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.
 53- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.
 54
 55## Setup
 56The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.
 57"""
 58references = [
 59    "https://developer.okta.com/docs/reference/api/system-log/",
 60    "https://developer.okta.com/docs/reference/api/event-types/",
 61    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 62    "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
 63]
 64risk_score = 73
 65rule_id = "5610b192-7f18-11ee-825b-f661ea17fbcd"
 66severity = "high"
 67tags = [
 68    "Tactic: Persistence",
 69    "Use Case: Identity and Access Audit",
 70    "Data Source: Okta",
 71    "Data Source: Elastic Defend",
 72    "Rule Type: Higher-Order Rule",
 73    "Domain: Endpoint",
 74    "Domain: Cloud",
 75]
 76type = "eql"
 77
 78query = '''
 79sequence by user.name with maxspan=12h
 80    [any where host.os.type == "windows" and signal.rule.threat.tactic.name == "Credential Access"]
 81    [any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.update"]
 82    [any where event.dataset == "okta.system" and okta.event_type: ("user.session.start", "user.authentication*")]
 83'''
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1556"
 90name = "Modify Authentication Process"
 91reference = "https://attack.mitre.org/techniques/T1556/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1556.006"
 94name = "Multi-Factor Authentication"
 95reference = "https://attack.mitre.org/techniques/T1556/006/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"