AN0268: Analytic 0268
Modifications to SSO/SAML user attributes (e.g., `isAdmin`, `role`, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps.
Analyst context for executives and security teams
This analytic concerns changes to SSO/SAML user attributes in an identity provider, such as admin flags, roles, MFA bypass settings, or application assignments. For leaders, the practical risk is that identity configuration changes can alter who has access to business-critical applications and whether normal authentication safeguards still apply. Even without a supplied ATT&CK detection rule, this is a high-value behavior area because identity provider changes often determine whether cloud and SaaS access controls are trustworthy.
Executive priority
Prioritize this as an identity governance and audit-readiness issue. Security leaders should ask whether changes to privileged SSO/SAML attributes are logged, reviewed, tied to approved change records, and rapidly investigated when made through CLI, API, or unfamiliar identity-provider applications. The business decision value is confirming that administrative access, MFA enforcement, and application entitlement changes cannot occur silently or outside accountable processes.
Technical view
SOC, IAM, and IR teams should validate monitoring around the Identity Provider platform for modifications to SSO/SAML user attributes, especially fields related to administrative status, role, MFA bypass, and app assignments. Because ATT&CK provides no official detection logic for AN0268 and no relationship context, teams should build local detections from identity-provider audit logs and compare attribute changes against expected administrators, approved automation, and change-management records.
Likely telemetry
- Identity provider audit logs for user attribute changes
- SSO/SAML configuration and entitlement change events
- Administrative CLI activity against the identity provider
- Identity provider API activity
- Creation or use of identity-provider applications that can modify users or assignments
Detection direction
- Alert or review changes to high-risk SSO/SAML attributes such as admin indicators, roles, MFA bypass flags, and application assignments.
- Differentiate expected IAM administration and automation from unusual CLI, API, or application-driven changes.
- Correlate identity-provider changes with approved change records and known administrator accounts.
- Tune for false positives from legitimate provisioning workflows, HR-driven lifecycle processes, and sanctioned identity automation.
- Pay special attention to changes made by newly created, rarely used, or unfamiliar identity-provider applications where logs support that context.
Mitigation priorities
- Restrict who and what can modify SSO/SAML attributes, roles, MFA bypass settings, and application assignments.
- Require strong administrative authentication and least-privilege roles for identity-provider administration.
- Govern API clients, CLI access, and identity-provider applications with explicit ownership, scoped permissions, and periodic review.
- Use change approval and evidence retention for privileged identity and access-control changes.
- Regularly review administrative roles, MFA bypass exceptions, and app assignments for drift from policy.
Analyst notes and limits
AN0268 is a detection analytic object for the enterprise ATT&CK domain with the Identity Provider platform specified. The supplied description focuses on SSO/SAML attribute modification through CLI, API, or rogue IdP apps. No official detection text, tactics, or relationships were supplied, so this take emphasizes validation of identity telemetry and governance controls rather than a specific analytic query.
This summary is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, specific vendor coverage, or guaranteed detection. Local identity-provider logging capabilities, attribute names, administrative workflows, and change-management data are required to operationalize the analytic.
Analytic 0268
Modifications to SSO/SAML user attributes (e.g., `isAdmin`, `role`, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ff0b0a84eac7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0268Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.