Okta OPA server account password changed out of band

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1556-modify-authentication-process

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects when a server account password is altered by a method other than Okta Privileged Access (OPA) scheduled rotation.

Okta Privileged Access allows Okta users to access servers through a local server account. These individual user accounts are managed and created by Okta on each server.

Strategy

This rule monitors Okta for successful pam.server_account.password_change.out_of_band events. It focuses on password changes performed outside standard rotation workflows or approved change processes for server accounts managed by OPA. Adversaries may attempt to bypass OPA based server access controls.

This detection has been adopted from rules published by the Okta team.

Triage & Response

  1. Identify the target server account, resource, and actor who initiated the request.
  2. Verify if a legitimate change request or ticket exists.
  3. Review the source IP {{@network.client.ip}} and geo‑location for the actor and determine whether they align with normal administrative patterns.
  4. Check OPA policy configuration to confirm the account’s rotation schedule and whether this change bypassed documented rotation workflows.
  5. Analyze subsequent authentications using the server account after the change to detect abnormal access or lateral movement.
  6. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.