Scattered Spider Defense Evasion via Conditional Access Policies Detection
Nf Ttp T1562001 Scattered Spider Abuse Conditional Access Trusted Locations
Query
AuditLogs
| where OperationName =~ "Update conditional access policy" and TargetResources has_all ('locations','excludeLocations')About this query
Explanation
This query is designed to detect suspicious changes to Conditional Access Policies within an organization's network. Specifically, it looks for updates to these policies that involve modifications to 'locations' and 'excludeLocations'. Such changes can be a tactic used by attackers, like those from the group Scattered Spider, to evade security measures and maintain access without being detected. By identifying these modifications, the query helps in mitigating the risk of attackers weakening the security posture or creating blind spots in the network's defenses.
