Skip to content

Latest commit

 

History

History
31 lines (23 loc) · 1.93 KB

nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md

File metadata and controls

31 lines (23 loc) · 1.93 KB

Scattered Spider Defense Evasion via Conditional Access Policies Detection

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1562.001 Impair Defenses: Disable or Modify Tools Impair Defenses: Disable or Modify Tools

Description

This detection rule focuses on identifying modifications to Conditional Access Policies, a tactic employed by threat actors like Scattered Spider for defense evasion. The rule includes two queries: one for detecting updates to conditional access policies, specifically changes in 'locations' and 'excludeLocations', and another for identifying the addition of trusted locations, which can be indicative of an attacker trying to bypass security measures.

Risk

The risk addressed here is the manipulation of access controls to evade detection and maintain persistent access. Modifying conditional access policies can allow attackers to operate undetected within a network, as these changes might weaken the security posture or create blind spots.

Author

References

Defender For Endpoint

AuditLogs
| where OperationName =~ "Update conditional access policy" and TargetResources has_all ('locations','excludeLocations')