Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0501: Analytic 0501

Post-compromise identity & session anomalies that follow a drive-by compromise: token reuse from new/unfamiliar IPs, anomalous sign-in patterns for previously inactive users, unexpected consent/grant events, or provisioning changes. Defender sees an endpoint/browser compromise (network + endpoint signals) followed by unusual IdP events: new refresh token issuance, consent/consent-grant events, odd MFA bypass patterns, or unusual OAuth client registrations.

EnterpriseAN0501AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0501 matters because it focuses on what can happen after a browser or endpoint compromise reaches the identity layer: reused tokens, unfamiliar sign-in locations, unexpected consent grants, provisioning changes, MFA anomalies, or unusual OAuth client registrations. For leaders, the key issue is not just malware on a device; it is whether compromised sessions can become persistent access through the Identity Provider.

Executive priority

Prioritize this analytic as an identity resilience and incident-response readiness check. Executives should ask whether the organization can connect endpoint/browser compromise evidence with IdP activity quickly enough to decide on token revocation, account containment, consent review, and user/session recovery. This is especially relevant for audit evidence around identity monitoring, cloud access governance, and incident decision-making.

Technical view

SOC and IR teams should validate that Identity Provider telemetry can be correlated with endpoint and network indicators of browser or endpoint compromise. The analytic points to post-compromise anomalies including token reuse from new or unfamiliar IPs, sign-ins by previously inactive users, new refresh token issuance, consent or consent-grant events, odd MFA bypass patterns, provisioning changes, and unusual OAuth client registrations. Detection engineering should focus on linking these IdP events into a single investigation narrative rather than treating each alert in isolation.

Likely telemetry

  • Identity Provider sign-in logs
  • Refresh token issuance and token reuse events
  • Source IP, geolocation, device, and user-agent context for authentication activity
  • Consent and consent-grant audit events
  • OAuth application or client registration events

Detection direction

  • Validate that IdP logs retain enough detail to distinguish familiar from unfamiliar IPs, devices, locations, and user agents.
  • Correlate endpoint/browser compromise signals with subsequent IdP anomalies for the same user, device, session, or time window.
  • Tune for users with low or inactive historical sign-in patterns where sudden access may be more suspicious.
  • Review expected administrative workflows to reduce false positives around legitimate provisioning changes, OAuth registrations, and consent grants.
  • Check blind spots around missing refresh-token events, incomplete consent audit logging, limited MFA exception visibility, and weak linkage between endpoint telemetry and identity events.

Mitigation priorities

  • Ensure IdP audit logging is enabled and retained for sign-ins, token activity, consent grants, OAuth client registration, MFA events, and provisioning changes.
  • Define incident response playbooks for suspected session compromise, including token/session revocation, account review, consent review, and OAuth application validation.
  • Restrict and monitor high-risk consent, grant, provisioning, and application registration actions according to least privilege.
  • Strengthen identity governance around inactive accounts, MFA exceptions, and administrative changes.
  • Test whether SOC workflows can pivot from endpoint/browser alerts into IdP investigations without manual delay.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for the Identity Provider platform. It describes identity and session anomalies following a drive-by compromise, but no ATT&CK tactics or relationships were supplied. The most useful defensive value is validating cross-domain visibility between endpoint/browser compromise evidence and identity-provider audit trails.

Official detection logic was not provided, and no relationships were supplied. This take therefore avoids specific rule syntax, thresholds, attribution, exploitation claims, or guaranteed coverage. Local IdP capabilities, logging configuration, retention, and normal user behavior are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 0501

Post-compromise identity & session anomalies that follow a drive-by compromise: token reuse from new/unfamiliar IPs, anomalous sign-in patterns for previously inactive users, unexpected consent/grant events, or provisioning changes. Defender sees an endpoint/browser compromise (network + endpoint signals) followed by unusual IdP events: new refresh token issuance, consent/consent-grant events, odd MFA bypass patterns, or unusual OAuth client registrations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e7d793e12dbdf1ed...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e7d793e12dbd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0501
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use