DataDog · christophetd · Sep 13, 2024 · Aug 16, 2024 · Aug 16, 2024 · Aug 19, 2024
diff --git a/docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md b/docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md
@@ -48,7 +48,7 @@ Through CloudTrail's <code>DescribeInstanceAttribute</code> event.
 
 See:
 
-* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/unsupported/cloud/aws_ec2_download_userdata.yml)
+* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
 
 
 ## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application-sp.md b/docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application-sp.md
@@ -0,0 +1,54 @@
+---
+title: Backdoor Entra ID application through service principal
+---
+
+# Backdoor Entra ID application through service principal
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors an existing Entra ID application by creating a new credential on the associated service principal.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an Entra ID application and associated service principal
+- Assign it the <code>Directory Readers</code> role at the tenant level (for illustration purposes)
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Backdoor the Entra ID application by creating a new credential on the associated service principal
+
+Notes: The warm-up mimics what happens when you create an App Registration through the Azure portal. 
+When you use the Azure portal, creating an App Registration automatically creates an associated service principal. 
+When using the Microsoft Graph API, the service principal needs to be created separately. 
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+- https://redfoxsec.com/blog/azure-privilege-escalation-via-service-principal/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.backdoor-application-sp
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the activity type <code>Add service principal credentials</code>.
+
+
diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application.md b/docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application.md
@@ -0,0 +1,54 @@
+---
+title: Backdoor Entra ID application
+---
+
+# Backdoor Entra ID application
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors an existing Entra ID application by creating a new password credential.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an Entra ID application and associated service principal
+- Assign it the <code>Directory Readers</code> role at the tenant level (for illustration purposes)
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Backdoor the Entra ID application by creating a new password credential
+
+Notes: The warm-up mimics what happens when you create an App Registration through the Azure portal. 
+When you use the Azure portal, creating an App Registration automatically creates an associated service principal. 
+When using the Microsoft Graph API, the service principal needs to be created separately. 
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+- https://redfoxsec.com/blog/azure-privilege-escalation-via-service-principal/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.backdoor-application
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the activity type <code>Update application – Certificates and secrets management</code>.
+
+
diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.guest-user.md b/docs/attack-techniques/entra-id/entra-id.persistence.guest-user.md
@@ -0,0 +1,114 @@
+---
+title: Create Guest User
+---
+
+# Create Guest User
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Invites an external guest user in the tenant.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Invite guest user (without generating an invitation email)
+
+References:
+
+- https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/inviting-external-users/
+- https://derkvanderwoude.medium.com/azure-subscription-hijacking-and-cryptomining-86c2ac018983
+- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
+
+!!! note
+
+	By default, Stratus Red Team invites the e-mail <code>[email protected]</code>. However, you can override
+	this behavior by setting the environment variable <code>STRATUS_RED_TEAM_ATTACKER_EMAIL</code>, for instance:
+
+	```bash
+	export STRATUS_RED_TEAM_ATTACKER_EMAIL="[email protected]"
+	stratus detonate entra-id.persistence.guest-user
+	```
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.guest-user
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+- <code>Add user</code>
+- <code>Invite external user</code>
+- <code>Add user sponsor</code>
+
+When the invited user accepts the invite, an additional event <code>Redeem external user invite</code> is logged. 
+
+Sample events, shortened for clarity:
+
+```json
+{
+  "category": "UserManagement",
+  "result": "success",
+  "activityDisplayName": "Invite external user",
+  "loggedByService": "Invited Users",
+  "initiatedBy": {
+    "user": {
+      "userPrincipalName": "<[email protected]>",
+    }
+  },
+  "userAgent": "",
+  "targetResources": [
+    {
+      "displayName": "<invited user display name>",
+      "type": "User",
+      "userPrincipalName": "<invited-user-email>#EXT#@<tenant.tld>",
+      "groupType": null,
+      "modifiedProperties": []
+    }
+  ],
+  "additionalDetails": [
+    {
+      "key": "invitedUserEmailAddress",
+      "value": "<invited-user-email>"
+    }
+  ]
+}
+{
+  "category": "UserManagement",
+  "result": "success",
+  "resultReason": null,
+  "activityDisplayName": "Redeem external user invite",
+  "loggedByService": "B2B Auth",
+  "initiatedBy": {
+    "user": {
+      "userPrincipalName": "<invited-user-email>",
+      "ipAddress": "<invited-user-ip>"
+    }
+  },
+  "targetResources": [
+    {
+      "id": "d042c4fe-5dd1-44a2-883a-eede6c10608f",
+      "displayName": "UPN: <invited-user-email>#EXT#<tenant.tld>, Email: <invited-user-email>, InvitationId: 4c93fc70-169a-411f-8cf7-aff732f8c7b9, Source: One Time Passcode",
+      "type": "User",
+      "userPrincipalName": "<invited-user-email>#EXT#<tenant.tld>"
+    }
+  ]
+}
+```
+
+
diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md b/docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md
@@ -0,0 +1,62 @@
+---
+title: Create Hidden Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Create Hidden Scoped Role Assignment Through HiddenMembership AU
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU.
+This simulates an attacker that TODO.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create the target (victim) Entra ID user
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create an administrative unit with hidden membership
+- Create a backdoor Entra ID user
+- Add the target (victim) user to the administrative unit
+- Assign the backdoor user with Privileged Administration Administrator rights over the administrative unit
+
+This simulates an attacker that indirectly persists their access. 
+The backdoor user can now perform privileged operations over any user in the administrative unit, which can be used to escalate privileges or maintain access, for instance by resetting the target user's password.
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.hidden-au
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+For <code>Service: Core Directory</code> and <code>Category: AdministrativeUnit</code>:
+
+- <code>Add administrative unit</code>
+- <code>Add member to administrative unit</code>
+
+For <code>Service: Core Directory</code> and <code>Category: RoleManagement</code>:
+
+- <code>Add scoped member to role</code>
+
+
diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.new-application.md b/docs/attack-techniques/entra-id/entra-id.persistence.new-application.md
@@ -0,0 +1,52 @@
+---
+title: Create Application
+---
+
+# Create Application
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Creates a new Entra ID application to backdoor the tenant.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create a new Entra ID application
+- Create a password credential for the application
+- Create a service principal for the application
+- Assign the Global Administrator role to the application
+- Print the command to retrieve a Graph API access token
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.new-application
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+- <code>Add application</code>
+- <code>Update application – Certificates and secrets management</code>
+- <code>Add member to role</code>
+
+
-Original file line number
+Diff line change
@@ Expand Up @@
     See:
-    * [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/unsupported/cloud/aws_ec2_download_userdata.yml)
+    * [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
     ## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
@@ Expand Down @@