Entra ID support + AU techniques

docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md

@@ -48,7 +48,7 @@ Through CloudTrail's <code>DescribeInstanceAttribute</code> event.
 
 See:
 
-* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/unsupported/cloud/aws_ec2_download_userdata.yml)
+* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
 
 
 ## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

docs/attack-techniques/azure/azure.persistence.hidden-au.md

@@ -0,0 +1,52 @@
+---
+title: Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Scoped Role Assignment Through HiddenMembership AU
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+
+Create a HiddenMembership [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0), and a scoped role assignment over this AU to simulate hidden assigned permissions.
+
+Warm-up:
+
+- Create Target Entra ID user
+- Initialize Privileged Administration Administrator role
+
+Detonation:
+
+- Create HiddenMembership AU
+- Create Backdoor Entra ID user
+- Add Target user to AU
+- Assign Backdoor user Privileged Administration Administrator over AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.hidden-au
+```
+
+## Detection
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to administrative unit
+
+For <code>Service: Core Directory</code>,<code>Category: RoleManagement</code>:
+Add scoped member to role
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

docs/attack-techniques/azure/azure.persistence.restricted-au.md

@@ -0,0 +1,49 @@
+---
+title: Restricted Backdoor Account Through Restricted Management AU
+---
+
+# Restricted Backdoor Account Through Restricted Management AU
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique may take 5+ minutes to clean up">slow</span> 
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+- Persistence
+
+## Description
+
+Create a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and place a backdoor account in it to simulate a protected attacker-controlled user.
+
+Warm-up:
+
+- Create Entra ID user (Backdoor)
+
+Detonation:
+
+- Create restricted management AU
+- Add Backdoor user to AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.restricted-au
+```
+
+## Detection
+
+Identify the following <code>activityDisplayName</code> events in Entra ID Audit logs.
+
+For <code>Service: Core Directory</code>,<code>Category: AdministrativeUnit</code>:
+Add administrative unit
+Add member to restricted management administrative unit
+
+Consider detection of additional Administrative Unit activities and scoped role assignments in the following Microsoft article:
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application.md

@@ -0,0 +1,50 @@
+---
+title: Backdoor Entra ID application
+---
+
+# Backdoor Entra ID application
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors an existing Entra ID application by creating a new password credential on the app registration.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an Entra ID application
+- Assign it the <code>User.Read.All</code> permission at the tenant level (for illustration purposes)
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Backdoor the Entra ID application by creating a new password credential
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+- https://redfoxsec.com/blog/azure-privilege-escalation-via-service-principal/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.backdoor-application
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the activity type <code>Update application – Certificates and secrets management</code>.
+
+

docs/attack-techniques/entra-id/entra-id.persistence.guest-user.md

@@ -0,0 +1,113 @@
+---
+title: Create Guest User
+---
+
+# Create Guest User
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Invites an external guest user in the tenant.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Invite guest user (without generating an invitation email)
+
+References:
+
+- https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/inviting-external-users/
+- https://derkvanderwoude.medium.com/azure-subscription-hijacking-and-cryptomining-86c2ac018983
+- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
+
+!!! note
+
+	Since the target e-mail must exist for this attack simulation to work, Stratus Red Team creates a guest user with the e-mail stratusredteam@gmail.com by default.
+	This is a real Google account, owned by Stratus Red Team maintainers and that is not used for any other purpose than this attack simulation. However, you can (and should) override
+	this behavior by setting the environment variable <code>STRATUS_RED_TEAM_ATTACKER_EMAIL</code>, for instance:
+
+	```bash
+	export STRATUS_RED_TEAM_ATTACKER_EMAIL="you@domain.tld"
+	stratus detonate entra-id.persistence.guest-user
+	```
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.guest-user
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+- <code>Add user</code>
+- <code>Invite external user</code>
+- <code>Add user sponsor</code>
+
+When the invited user accepts the invite, an additional event <code>Redeem external user invite</code> is logged. 
+
+Sample events, shortened for clarity:```
+{
+  "category": "UserManagement",
+  "result": "success",
+  "activityDisplayName": "Invite external user",
+  "loggedByService": "Invited Users",
+  "initiatedBy": {
+    "user": {
+      "userPrincipalName": "<inviter@tenant.tld>",
+    }
+  },
+  "userAgent": "",
+  "targetResources": [
+    {
+      "displayName": "<invited user display name>",
+      "type": "User",
+      "userPrincipalName": "<invited-user-email>#EXT#@<tenant.tld>",
+      "groupType": null,
+      "modifiedProperties": []
+    }
+  ],
+  "additionalDetails": [
+    {
+      "key": "invitedUserEmailAddress",
+      "value": "<invited-user-email>"
+    }
+  ]
+}
+{
+  "category": "UserManagement",
+  "result": "success",
+  "resultReason": null,
+  "activityDisplayName": "Redeem external user invite",
+  "loggedByService": "B2B Auth",
+  "initiatedBy": {
+    "user": {
+      "userPrincipalName": "<invited-user-email>",
+      "ipAddress": "<invited-user-ip>"
+    }
+  },
+  "targetResources": [
+    {
+      "id": "d042c4fe-5dd1-44a2-883a-eede6c10608f",
+      "displayName": "UPN: <invited-user-email>#EXT#<tenant.tld>, Email: <invited-user-email>, InvitationId: 4c93fc70-169a-411f-8cf7-aff732f8c7b9, Source: One Time Passcode",
+      "type": "User",
+      "userPrincipalName": "<invited-user-email>#EXT#<tenant.tld>"
+    }
+  ]
+}
+```
+
+

docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md

@@ -0,0 +1,58 @@
+---
+title: Create Hidden Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Create Hidden Scoped Role Assignment Through HiddenMembership AU
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU.
+This simulates an attacker that TODO.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create Target Entra ID user
+- Initialize Privileged Administration Administrator role
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create HiddenMembership AU
+- Create Backdoor Entra ID user
+- Add Target user to AU
+- Assign Backdoor user Privileged Administration Administrator over AU
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.hidden-au
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+For <code>Service: Core Directory</code> and <code>Category: AdministrativeUnit</code>:
+- <code>Add administrative unit</code>
+- <code>Add member to administrative unit</code>
+
+For <code>Service: Core Directory</code> and <code>Category: RoleManagement</code>:
+- <code>Add scoped member to role</code>
+
+

docs/attack-techniques/entra-id/entra-id.persistence.new-application.md

@@ -0,0 +1,52 @@
+---
+title: Create Application
+---
+
+# Create Application
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Creates a new Entra ID application to backdoor the tenant.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create a new Entra ID application
+- Create a password credential for the application
+- Create a service principal for the application
+- Assign the Global Administrator role to the application
+- Print the command to retrieve a Graph API access token
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.new-application
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+- <code>Add application</code>
+- <code>Update application – Certificates and secrets management</code>
+- <code>Add member to role</code>
+
+