Hidden Persistence Tactics: Exploiting Entra ID Administrative Units

On September 17, 2024, a new research paper presented at fwd Europe by security researcher Katie Knowles revealed novel techniques for maintaining hidden persistence within Microsoft Entra ID environments.

Hidden Persistence Tactics: Exploiting Entra ID Administrative Units
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 17, 2024, a new research paper presented at fwd Europe by security researcher Katie Knowles revealed novel techniques for maintaining hidden persistence within Microsoft Entra ID environments. The research highlights how attackers can leverage Administrative Units (AUs) to remain undetected in compromised systems, using features like restricted management and hidden membership.

Report Overview

Microsoft Entra ID's Administrative Units (AUs) were designed to offer a way to scope administrative privileges over specific sets of users, groups, or devices. This scoping mechanism is intended to enhance security by applying least-privilege principles. However, Knowles and her team discovered that these same features can be used maliciously by attackers to maintain control over Entra ID environments. This "by design" functionality, while not a vulnerability, opens avenues for abuse if an attacker gains privileged access.

The research focuses on two core AU features: restricted management and hidden membership. These tools, meant for hardening environments, can also be exploited for long-term persistence:

  1. Restricted Management AUs:
    Restricted AUs ensure that only specific administrators with scoped roles can modify sensitive accounts. Attackers can use this feature to prevent global administrators from resetting passwords or modifying accounts. By placing a backdoor account into a restricted AU, attackers effectively lock it from tampering, even by tenant-level admins.
  2. Hidden Membership AUs:
    Hidden AUs conceal their membership, only visible to certain privileged roles like Global Administrator. By using hidden AUs, attackers can stealthily assign administrative privileges without detection. This is particularly effective in concealing the scope of access granted to backdoor accounts, making it difficult for security teams to identify compromised accounts.

Insights and Analysis

The abuse of AUs can lead to a highly resilient backdoor, where even senior administrators struggle to detect or remove attacker-controlled accounts. If attackers can hide both the accounts and the privileges granted to them, they can effectively undermine the security of the entire tenant. These techniques highlight the need for continuous monitoring and advanced auditing of AU activities to mitigate the potential damage.

The research emphasizes that these tactics do not represent a vulnerability in Microsoft Entra ID. Instead, they demonstrate how attackers can abuse legitimate features to maintain persistence. The use of tools like Stratus Red Team to simulate these attacks further underscores the need for organizations to be proactive in monitoring AU usage.

To defend against these types of persistence tactics, security teams must regularly audit the creation and management of AUs, review scoped role assignments, and ensure that logs are actively monitored for unusual activities. Microsoft provides guidance on AU management, but organizations should develop specific remediation playbooks to handle malicious AU abuse. Regular training and updated security policies are essential to ensure that these features are used responsibly and effectively.

Preventative Measures

  • Monitor Entra ID audit logs for unusual AU activities.
  • Limit the number of administrators with access to create or modify AUs.
  • Implement robust detection mechanisms for hidden memberships and scoped role assignments.

By understanding the potential misuse of AUs, organizations can better protect their cloud environments from advanced persistence threats.

Indicators of Compromise (IOCs)

IndicatorTypeDescription
No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Techniques

TacticTechniqueIDDescription
PersistenceAccount ManipulationT1098Abuse of Administrative Units (AUs) to create backdoor accounts.
Defense EvasionHidden UsersT1078.003Concealing AU membership to evade detection by security roles.
Privilege EscalationAbuse Elevation Control MechanismsT1548.002Use of hidden and restricted AUs to maintain elevated privileges.
Credential AccessAccount DiscoveryT1087Discovering and manipulating accounts within Administrative Units.
Defense EvasionObfuscated Administrative PrivilegesT1562.001Concealing scoped role assignments through hidden membership AUs.

References

Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence | Datadog Security Labs
Entra ID’s Administrative Units (AU) are great for defenders… and for attackers! AUs are a useful method for creating scoped Entra ID role assignments. However, this scoping also offers juicy new methods for anyone looking to persist quietly in an Azure tenant: Obscure parameters can hide AU membership, and restrictions can prevent removal of malicious accounts. AUs are a globally-enabled tenant feature. Are you prepared to keep an eye on them?