Skip to content

Create Guest User

Platform: Entra ID

MITRE ATT&CK Tactics

  • Persistence

Description

Invites an external guest user in the tenant.

Warm-up: None

Detonation:

  • Invite guest user (without generating an invitation email)

References:

Note

By default, Stratus Red Team invites the e-mail stratus-red-team@example.com. However, you can override this behavior by setting the environment variable STRATUS_RED_TEAM_ATTACKER_EMAIL, for instance:

export STRATUS_RED_TEAM_ATTACKER_EMAIL="you@domain.tld"
stratus detonate entra-id.persistence.guest-user

Instructions

Detonate with Stratus Red Team
stratus detonate entra-id.persistence.guest-user

Detection

Using Entra ID audit logs with the specific activity types:

  • Add user
  • Invite external user
  • Add user sponsor

When the invited user accepts the invite, an additional event Redeem external user invite is logged.

Sample events, shortened for clarity:

{
  "category": "UserManagement",
  "result": "success",
  "activityDisplayName": "Invite external user",
  "loggedByService": "Invited Users",
  "initiatedBy": {
    "user": {
      "userPrincipalName": "<inviter@tenant.tld>",
    }
  },
  "userAgent": "",
  "targetResources": [
    {
      "displayName": "<invited user display name>",
      "type": "User",
      "userPrincipalName": "<invited-user-email>#EXT#@<tenant.tld>",
      "groupType": null,
      "modifiedProperties": []
    }
  ],
  "additionalDetails": [
    {
      "key": "invitedUserEmailAddress",
      "value": "<invited-user-email>"
    }
  ]
}
{
  "category": "UserManagement",
  "result": "success",
  "resultReason": null,
  "activityDisplayName": "Redeem external user invite",
  "loggedByService": "B2B Auth",
  "initiatedBy": {
    "user": {
      "userPrincipalName": "<invited-user-email>",
      "ipAddress": "<invited-user-ip>"
    }
  },
  "targetResources": [
    {
      "id": "d042c4fe-5dd1-44a2-883a-eede6c10608f",
      "displayName": "UPN: <invited-user-email>#EXT#<tenant.tld>, Email: <invited-user-email>, InvitationId: 4c93fc70-169a-411f-8cf7-aff732f8c7b9, Source: One Time Passcode",
      "type": "User",
      "userPrincipalName": "<invited-user-email>#EXT#<tenant.tld>"
    }
  ]
}