Create Sticky Backdoor User Through Restricted Management AU

Platform: Entra ID

MITRE ATT&CK Tactics

• Persistence

Description

Creates a restricted management Administrative Unit (AU), and place a backdoor account in it to simulate a protected attacker-controlled user.

Warm-up:

• Create an Entra ID backdoor user

Detonation:

• Create restricted management Administrative Unit
• Add the backdoor user to the Administrative Unit

References:

• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management

Note: When cleaning up the technique, you might have to wait a few minutes for the user status to update before retrying the cleanup. This is a limitation of Entra ID.

Instructions

Detonate with Stratus Red Team

stratus detonate entra-id.persistence.restricted-au

Detection

Using Entra ID audit logs with the specific activity types:

• Add administrative unit
• Add member to restricted management administrative unit