EXPLORE
Sign In
← Back to Explore
T1556.009

Conditional Access Policies

Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citati...

IaaSIdentity Provider
4
Detections
1
Sources
2
Threat Actors

BY SOURCE

4elastic

PROCEDURES (4)

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (2)

Scattered SpiderStorm-0501

DETECTIONS (4)

AWS RDS DB Instance Made Public
elasticmedium
Entra ID Conditional Access Policy (CAP) Modified
elasticmedium
Entra ID External Authentication Methods (EAM) Modified
elasticmedium
Modification or Removal of an Okta Application Sign-On Policy
elasticmedium