Entra ID support + AU techniques

docs/attack-techniques/azure/azure.persistence.hidden-au.md

@@ -0,0 +1,52 @@
+---
+title: Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Scoped Role Assignment Through HiddenMembership AU
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+
+Create a HiddenMembership [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0), and a scoped role assignment over this AU to simulate hidden assigned permissions.
+
+Warm-up:
+
+- Create Target Entra ID user
+- Initialize Privileged Administration Administrator role
+
+Detonation:
+
+- Create HiddenMembership AU
+- Create Backdoor Entra ID user
+- Add Target user to AU
+- Assign Backdoor user Privileged Administration Administrator over AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.hidden-au
+```
+
+## Detection
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to administrative unit
+
+For <code>Service: Core Directory</code>,<code>Category: RoleManagement</code>:
+Add scoped member to role
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

docs/attack-techniques/azure/azure.persistence.restricted-au.md

@@ -0,0 +1,49 @@
+---
+title: Restricted Backdoor Account Through Restricted Management AU
+---
+
+# Restricted Backdoor Account Through Restricted Management AU
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique may take 5+ minutes to clean up">slow</span> 
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+
+Create a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and place a backdoor account in it to simulate a protected attacker-controlled user.
+
+Warm-up:
+
+- Create Entra ID user (Backdoor)
+
+Detonation:
+
+- Create restricted management AU
+- Add Backdoor user to AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.restricted-au
+```
+
+## Detection
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to restricted management administrative unit
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

docs/attack-techniques/entra-id/entra-id.persistence.guest-user.md

@@ -0,0 +1,108 @@
+---
+title: Create Guest User for Persistent Access
+---
+
+# Create Guest User for Persistent Access
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+An attacker can abuse the Guest User invite process to gain persistent access to an environment, as they can invite themselves as a guest.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- N/A, this technique does not have a warm-up stage
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Invite Guest User
+
+References:
+
+- https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/inviting-external-users/
+
+!!! note
+
+	Since the target e-mail must exist for this attack simulation to work, Stratus Red Team grants the role to [email protected] by default.
+	This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can override
+	this behavior by setting the environment variable <code>STRATUS_RED_TEAM_ATTACKER_EMAIL</code>, for instance:
+
+	```bash
+	export STRATUS_RED_TEAM_ATTACKER_EMAIL="[email protected]"
+	stratus detonate entra-id.persistence.guest-user
+	```
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.guest-user
+```
+
+## Detection
+
+When someone invites a guest user in Azure AD, several events are logged in the Azure AD Activity logs:
+
+<code>Add user</code>
+<code>Invite external user</code>
+<code>Add user sponsor</code>
+
+When the invited user accepts the invite, an additional event <code>Redeem external user invite</code> is logged.
+
+Sample events, shortened for clarity:
+```json 
+{
+  "category": "UserManagement",
+  "result": "success",
+  "activityDisplayName": "Invite external user",
+  "loggedByService": "Invited Users",
+  "initiatedBy": {
+    "user": {
+      "userPrincipalName": "<[email protected]>",
+    }
+  },
+  "userAgent": "",
+  "targetResources": [
+    {
+      "displayName": "<invited user display name>",
+      "type": "User",
+      "userPrincipalName": "<invited-user-email>#EXT#@<tenant.tld>",
+      "groupType": null,
+      "modifiedProperties": []
+    }
+  ],
+  "additionalDetails": [
+    {
+      "key": "invitedUserEmailAddress",
+      "value": "<invited-user-email>"
+    }
+  ]
+}
+{
+  "category": "UserManagement",
+  "result": "success",
+  "resultReason": null,
+  "activityDisplayName": "Redeem external user invite",
+  "loggedByService": "B2B Auth",
+  "initiatedBy": {
+    "user": {
+      "userPrincipalName": "<invited-user-email>",
+      "ipAddress": "<invited-user-ip>"
+    }
+  },
+  "targetResources": [
+    {
+      "id": "d042c4fe-5dd1-44a2-883a-eede6c10608f",
+      "displayName": "UPN: <invited-user-email>#EXT#<tenant.tld>, Email: <invited-user-email>, InvitationId: 4c93fc70-169a-411f-8cf7-aff732f8c7b9, Source: One Time Passcode",
+      "type": "User",
+      "userPrincipalName": "<invited-user-email>#EXT#<tenant.tld>"
+    }
+  ]
+}
+```

docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md

@@ -0,0 +1,60 @@
+---
+title: Create Hidden Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Create Hidden Scoped Role Assignment Through HiddenMembership AU
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Create a HiddenMembership [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0), and a scoped role assignment over this AU to simulate hidden assigned permissions.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create Target Entra ID user
+- Initialize Privileged Administration Administrator role
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create HiddenMembership AU
+- Create Backdoor Entra ID user
+- Add Target user to AU
+- Assign Backdoor user Privileged Administration Administrator over AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.hidden-au
+```
+## Detection
+
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to administrative unit
+
+For <code>Service: Core Directory</code>,<code>Category: RoleManagement</code>:
+Add scoped member to role
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
+
+

docs/attack-techniques/entra-id/entra-id.persistence.restricted-au.md

@@ -0,0 +1,55 @@
+---
+title: Create Sticky Backdoor Account Through Restricted Management AU
+---
+
+# Create Sticky Backdoor Account Through Restricted Management AU
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Create a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and place a backdoor account in it to simulate a protected attacker-controlled user.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create Entra ID user (Backdoor)
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create restricted management AU
+- Add Backdoor user to AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
+
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.restricted-au
+```
+## Detection
+
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to restricted management administrative unit
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
+
+

docs/attack-techniques/entra-id/index.md

@@ -0,0 +1,12 @@
+# Entra ID
+
+This page contains the Stratus attack techniques for Entra ID, grouped by MITRE ATT&CK Tactic.
+Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic.
+
+
+## Persistence
+
+- [Create Hidden Scoped Role Assignment Through HiddenMembership AU](./entra-id.persistence.hidden-au.md)
+
+- [Create Sticky Backdoor Account Through Restricted Management AU](./entra-id.persistence.restricted-au.md)
+

docs/attack-techniques/list.md

@@ -53,6 +53,8 @@ This page contains the list of all Stratus Attack Techniques.
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
 | [Create Admin EKS Access Entry](./EKS/eks.lateral-movement.create-access-entry.md) | [EKS](./EKS/index.md) | Lateral Movement |
 | [Backdoor aws-auth EKS ConfigMap](./EKS/eks.persistence.backdoor-aws-auth-configmap.md) | [EKS](./EKS/index.md) | Persistence, Privilege Escalation |
+| [Create Hidden Scoped Role Assignment Through HiddenMembership AU](./entra-id/entra-id.persistence.hidden-au.md) | [Entra ID](./entra-id/index.md) | Persistence |
+| [Create Sticky Backdoor Account Through Restricted Management AU](./entra-id/entra-id.persistence.restricted-au.md) | [Entra ID](./entra-id/index.md) | Persistence |
 | [Exfiltrate Compute Disk by sharing it](./GCP/gcp.exfiltration.share-compute-disk.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Image by sharing it](./GCP/gcp.exfiltration.share-compute-image.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Disk by sharing a snapshot](./GCP/gcp.exfiltration.share-compute-snapshot.md) | [GCP](./GCP/index.md) | Exfiltration |

docs/attack-techniques/supported-platforms.md

@@ -1,4 +1,4 @@
 # Supported Platforms
 
-Stratus Red Team currently supports AWS, Azure, GCP,  Kubernetes, and Amazon EKS.
+Stratus Red Team currently supports AWS, Azure, GCP,  Kubernetes, Amazon EKS, and Entra ID.
 See [Connecting to your cloud account](https://stratus-red-team.cloud/user-guide/getting-started/#connecting-to-your-cloud-account) for setup instructions.

docs/index.yaml

@@ -465,6 +465,22 @@ Azure:
             - Exfiltration
           platform: Azure
           isIdempotent: true
+Entra ID:
+    Persistence:
+        - id: entra-id.persistence.hidden-au
+          name: Create Hidden Scoped Role Assignment Through HiddenMembership AU
+          isSlow: false
+          mitreAttackTactics:
+            - Persistence
+          platform: Entra ID
+          isIdempotent: false
+        - id: entra-id.persistence.restricted-au
+          name: Create Sticky Backdoor Account Through Restricted Management AU
+          isSlow: false
+          mitreAttackTactics:
+            - Persistence
+          platform: Entra ID
+          isIdempotent: false
 Kubernetes:
     Credential Access:
         - id: k8s.credential-access.dump-secrets

docs/user-guide/getting-started.md

@@ -159,6 +159,14 @@ export AZURE_SUBSCRIPTION_ID=45e0ad3f-ff94-499a-a2f0-bbb884e9c4a3
     fixed to `West US` (California). See why [here](https://github.com/DataDog/stratus-red-team/discussions/125).
 
 
+### Microsoft Entra ID
+
+- Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) to authenticate against your Azure tenant:
+
+```
+az login
+```
+
 ### GCP
 
 - Use the [gcloud CLI](https://cloud.google.com/sdk/gcloud) to authenticate against GCP: