attack.t1556

Github High Risk Configuration Disabled

Nov 3, 2025 · attack.credential-access attack.defense-evasion attack.persistence attack.t1556 ·

Detects when a user disables a critical security feature for an organization.

AWS Identity Center Identity Provider Change

Oct 23, 2025 · attack.persistence attack.credential-access attack.defense-evasion attack.t1556 ·

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

CA Policy Removed by Non Approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

CA Policy Updated by Non Approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Certificate-Based Authentication Enabled

Oct 23, 2025 · attack.defense-evasion attack.credential-access attack.persistence attack.privilege-escalation attack.t1556 ·

Share on:

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Change to Authentication Method

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.t1556 attack.persistence attack.defense-evasion attack.t1098 ·

Share on:

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Directory Service Restore Mode(DSRM) Registry Value Tampering

Oct 23, 2025 · attack.defense-evasion attack.credential-access attack.persistence attack.t1556 ·

Share on:

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.