Query Details

Scattered Spider Defense Evasion via Conditional Access Policies Detection

Nf Ttp T1562001 Scattered Spider Abuse Conditional Access Trusted Locations

Query

AuditLogs
| where OperationName =~ "Update conditional access policy" and TargetResources has_all ('locations','excludeLocations')

About this query

Explanation

This query is designed to detect suspicious changes to Conditional Access Policies within an organization's network. Specifically, it looks for updates to these policies that involve modifications to 'locations' and 'excludeLocations'. Such changes can be a tactic used by attackers, like those from the group Scattered Spider, to evade security measures and maintain access without being detected. By identifying these modifications, the query helps in mitigating the risk of attackers weakening the security posture or creating blind spots in the network's defenses.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

AuditLogs

Keywords

AuditLogsOperationNameTargetResourcesLocationsExcludeLocations

Operators

=~andhas_all

MITRE Techniques

Actions

GitHub