1. Home
  2. Techniques
  3. Enterprise
  4. Modify Authentication Process
  5. Conditional Access Policies

Modify Authentication Process: Conditional Access Policies

ID Name
T1556.001 Domain Controller Authentication
T1556.002 Password Filter DLL
T1556.003 Pluggable Authentication Modules
T1556.004 Network Device Authentication
T1556.005 Reversible Encryption
T1556.006 Multi-Factor Authentication
T1556.007 Hybrid Identity
T1556.008 Network Provider DLL
T1556.009 Conditional Access Policies

Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.

For example, in Azure AD, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.[1][2][3] In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain condition attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.[4][5] These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.

By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.

ID: T1556.009
Sub-technique of:  T1556
Platforms: Azure AD, IaaS, SaaS
Contributors: Gavin Knapp; Joshua Penny
Version: 1.0
Created: 02 January 2024
Last Modified: 18 April 2024
Version Permalink

Procedure Examples

ID Name Description
G1015 Scattered Spider

Scattered Spider has added additional trusted locations to Azure AD conditional access policies. [6]

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit permissions to modify conditional access policies to only those required.

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Modification

Monitor for changes made to security settings related to Azure AD Conditional Access Policies. For example, these can be found in the Azure AD audit log under the operation name Update Conditional Access policy.[7]
DS0025 Cloud Service Cloud Service Modification

Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems.

References

  1. Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.
  2. JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.
  3. Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.
  4. AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.
  1. Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  3. Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.