Attack Chain

1. Initial Access: The attacker gains initial access through compromised credentials or other means (not specified in source).
2. Privilege Escalation: The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).
3. Policy Enumeration: The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.
4. Policy Modification: The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.
5. Persistence: By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.
6. Credential Access: With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.
7. Defense Impairment: The modification of CA policies impairs the organization’s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.

Impact

Successful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.

Recommendation

• Deploy the “CA Policy Updated by Non Approved Actor” Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.
• Review the properties.message field in the Azure Audit Logs for “Update conditional access policy” events and compare “old” vs “new” values to understand the nature of the changes.
• Implement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.
• Investigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
• Enable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).