Description
Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain condition attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.
By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.
Platforms
Mitigations (1)
User Account ManagementM1018
Limit permissions to modify conditional access policies to only those required.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has added additional trusted locations to Azure AD conditional access policies. (Citation: M... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has registered their own MFA method, and leveraged a victim hybrid joined server to circumvent Con... |
References
- AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.
- Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.
- JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.
- Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.
- Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.
Frequently Asked Questions
What is T1556.009 (Conditional Access Policies)?
T1556.009 is a MITRE ATT&CK technique named 'Conditional Access Policies'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers a...
How can T1556.009 be detected?
Detection of T1556.009 (Conditional Access Policies) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556.009?
There are 1 documented mitigations for T1556.009. Key mitigations include: User Account Management.
Which threat groups use T1556.009?
Known threat groups using T1556.009 include: Scattered Spider, Storm-0501.