Entra ID support + AU techniques

docs/attack-techniques/azure/azure.persistence.hidden-au.md

@@ -0,0 +1,52 @@
+---
+title: Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Scoped Role Assignment Through HiddenMembership AU
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+
+Create a HiddenMembership [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0), and a scoped role assignment over this AU to simulate hidden assigned permissions.
+
+Warm-up:
+
+- Create Target Entra ID user
+- Initialize Privileged Administration Administrator role
+
+Detonation:
+
+- Create HiddenMembership AU
+- Create Backdoor Entra ID user
+- Add Target user to AU
+- Assign Backdoor user Privileged Administration Administrator over AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.hidden-au
+```
+
+## Detection
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to administrative unit
+
+For <code>Service: Core Directory</code>,<code>Category: RoleManagement</code>:
+Add scoped member to role
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

docs/attack-techniques/azure/azure.persistence.restricted-au.md

@@ -0,0 +1,49 @@
+---
+title: Restricted Backdoor Account Through Restricted Management AU
+---
+
+# Restricted Backdoor Account Through Restricted Management AU
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique may take 5+ minutes to clean up">slow</span> 
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+
+Create a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and place a backdoor account in it to simulate a protected attacker-controlled user.
+
+Warm-up:
+
+- Create Entra ID user (Backdoor)
+
+Detonation:
+
+- Create restricted management AU
+- Add Backdoor user to AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.restricted-au
+```
+
+## Detection
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to restricted management administrative unit
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

v2/go.mod

@@ -4,8 +4,8 @@ go 1.19
 
 require (
 	cloud.google.com/go/compute v1.10.0
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
 	github.com/aws/aws-sdk-go-v2 v1.30.3
@@ -31,11 +31,11 @@ require (
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/fatih/color v1.13.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.6.0
 	github.com/hashicorp/terraform-exec v0.17.3
 	github.com/jedib0t/go-pretty/v6 v6.4.0
 	github.com/spf13/cobra v1.6.0
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.9.0
 	google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.25.3
@@ -44,8 +44,8 @@ require (
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/Microsoft/go-winio v0.5.0 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
@@ -61,13 +61,16 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect
+	github.com/cjlapao/common-go v0.0.39 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
@@ -80,22 +83,35 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/microsoft/kiota-abstractions-go v1.6.1 // indirect
+	github.com/microsoft/kiota-authentication-azure-go v1.0.2 // indirect
+	github.com/microsoft/kiota-http-go v1.4.1 // indirect
+	github.com/microsoft/kiota-serialization-form-go v1.0.0 // indirect
+	github.com/microsoft/kiota-serialization-json-go v1.0.7 // indirect
+	github.com/microsoft/kiota-serialization-multipart-go v1.0.0 // indirect
+	github.com/microsoft/kiota-serialization-text-go v1.0.0 // indirect
+	github.com/microsoftgraph/msgraph-beta-sdk-go v0.107.0 // indirect
+	github.com/microsoftgraph/msgraph-sdk-go-core v1.2.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/std-uritemplate/std-uritemplate/go v0.0.57 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
@@ -115,10 +131,11 @@ require (
 	github.com/hashicorp/hc-install v0.4.0
 	github.com/hashicorp/terraform-json v0.14.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/microsoftgraph/msgraph-sdk-go v1.47.0
 	github.com/zclconf/go-cty v1.11.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	google.golang.org/api v0.99.0
 	google.golang.org/grpc v1.50.0 // indirect
 )