Create Application

Platform: Entra ID

MITRE ATT&CK Tactics

• Persistence
• Privilege Escalation

Description

Creates a new Entra ID application to backdoor the tenant.

Warm-up: None

Detonation:

• Create a new Entra ID application
• Create a password credential for the application
• Create a service principal for the application
• Assign the Global Administrator role to the application
• Print the command to retrieve a Graph API access token

References:

• https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
• https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html

Instructions

Detonate with Stratus Red Team

stratus detonate entra-id.persistence.new-application

Detection

Using Entra ID audit logs with the specific activity types:

• Add application
• Update application – Certificates and secrets management
• Add member to role