Conditional Access Policies
Conditional Access Policies [T1556.009]
Information
Name: Conditional Access Policies
ID: T1556.009
Technique: T1556
Introduction
Conditional Access Policies (T1556.009) is a sub-technique within the MITRE ATT&CK framework categorized under Credential Access. It encompasses adversary actions aimed at modifying, disabling, or bypassing conditional access policies within cloud environments, particularly identity and access management (IAM) systems such as Microsoft Azure AD. Conditional access policies provide organizations with the ability to enforce granular access control based on specific conditions like device compliance, network location, user identity, or risk scores. Attackers targeting these policies aim to weaken or circumvent security controls, enabling unauthorized access to sensitive resources and data.
Deep Dive Into Technique
Conditional access policies are typically implemented to enforce security controls and limit access to cloud resources based on various conditions such as:
User identity or group membership
Device compliance status and management state
Geographical or network location (trusted IP ranges)
Application or cloud resource being accessed
User sign-in risk level or behavioral analytics
Attackers leveraging this technique may perform the following actions:
Modifying existing policies: Attackers with administrative or privileged access may change rules within conditional access policies, reducing security requirements or removing restrictions entirely.
Disabling policies: Adversaries may disable conditional access policies outright to eliminate barriers to unauthorized access.
Creating exceptions or bypasses: Attackers may insert exceptions into existing policies, allowing specific users, applications, or devices to bypass security checks.
Tampering with device compliance status: Attackers could manipulate device compliance information, making compromised devices appear compliant and trustworthy.
Altering trusted IP ranges: Attackers might add malicious IP addresses or remove trusted IP ranges from conditional access policies, enabling remote access from unauthorized locations.
Real-world procedures often involve attackers first gaining administrative privileges through phishing, credential theft, or privilege escalation. Once administrative access is acquired, they directly manipulate conditional access policies through management portals, APIs, or automated scripts.
When this Technique is Usually Used
Attackers commonly use Conditional Access Policies manipulation in various attack scenarios and stages, including:
Initial Access and Persistence: Attackers may alter policies early in an attack to ensure uninterrupted access to cloud resources, even after initial compromises are discovered.
Privilege Escalation and Lateral Movement: By weakening conditional access controls, adversaries can escalate privileges or move laterally across cloud resources without triggering alerts or access denials.
Data Exfiltration and Impact: Attackers can disable or weaken conditional access policies to facilitate data exfiltration without security controls intervening.
Evasion and Defense Bypass: Attackers frequently manipulate conditional access policies to bypass multi-factor authentication (MFA), device compliance checks, or location-based restrictions, allowing them to evade detection and maintain stealthy access.
Attackers targeting organizations heavily reliant on cloud infrastructure and identity management systems, such as Microsoft Azure AD environments, frequently leverage this sub-technique.
How this Technique is Usually Detected
Detection of Conditional Access Policies manipulation involves monitoring and analyzing various security and audit logs, events, and indicators. Common detection methods include:
Monitoring administrative audit logs: Regularly reviewing logs for suspicious or unauthorized modifications to conditional access policies, such as unexpected changes or deletions.
Analyzing Azure AD audit logs: Azure AD logs capture detailed information on policy changes, providing timestamps, user accounts, IP addresses, and specific actions taken.
Behavioral anomaly detection: Utilizing user and entity behavior analytics (UEBA) solutions to detect unusual administrative actions, such as sudden policy changes from unexpected locations or at unusual times.
Monitoring privileged account activity: Closely tracking privileged accounts for unexpected policy modifications, especially following suspicious login events.
Alerting on policy exceptions and bypasses: Implementing automated alerts or security orchestration and automation response (SOAR) platforms to notify security teams immediately upon the creation or modification of policy exceptions or bypass rules.
Specific Indicators of Compromise (IoCs) include:
Unrecognized or unauthorized IP addresses added to trusted IP ranges.
Sudden disabling or deletion of conditional access policies.
Creation of new policies or exceptions granting overly permissive access.
Policy changes occurring during off-hours or from unusual geographic locations.
Unexpected compliance status changes for previously non-compliant devices.
Why it is Important to Detect This Technique
Detecting Conditional Access Policies manipulation early is critical due to the potentially severe impacts on organizational security and operational stability, including:
Unauthorized access: Attackers can bypass critical security controls, gaining unrestricted access to sensitive cloud resources, applications, and data.
Data loss and exfiltration: Compromised conditional access policies can facilitate large-scale data theft, intellectual property loss, or exposure of sensitive customer information.
Privilege escalation and lateral movement: Weakening conditional access policies enables attackers to escalate privileges, move laterally across cloud environments, and compromise additional resources.
Regulatory and compliance violations: Organizations may face severe regulatory penalties or compliance failures due to compromised conditional access controls, especially in regulated industries.
Loss of trust and reputation damage: Successful exploitation can significantly harm an organization's reputation, customer trust, and business operations.
Early detection and response allow organizations to quickly remediate policy changes, mitigate risks, and prevent further exploitation or damage.
Examples
Real-world examples of Conditional Access Policies manipulation include:
SolarWinds Attack (2020):
Attackers compromised privileged Azure AD accounts, modifying conditional access policies to bypass multi-factor authentication (MFA) requirements.
This allowed persistent and stealthy access to sensitive cloud resources and email accounts, facilitating data exfiltration and lateral movement.
The attack led to widespread compromise of multiple government agencies and large corporations.
NOBELIUM Activities (2021):
NOBELIUM threat actors leveraged compromised Azure AD administrative credentials to modify conditional access policies, creating exceptions for attacker-controlled devices and IP addresses.
Attackers bypassed security controls, enabling persistent access and data exfiltration from targeted organizations.
Microsoft publicly documented these activities, highlighting the importance of securing conditional access policies.
Phishing Campaigns Targeting Azure AD Admins:
Attackers have repeatedly targeted Azure AD administrators through sophisticated phishing campaigns.
After credential theft, attackers immediately modified conditional access policies to disable MFA or create exceptions, ensuring continued access even if compromised credentials were later identified.
Impact included unauthorized access to sensitive organizational data, email accounts, and cloud infrastructure.
In each example, attackers leveraged compromised administrative credentials to manipulate conditional access policies, significantly weakening security controls and enabling persistent, undetected access.
Last updated
Was this helpful?