Hidden Persistence Tactics: Exploiting Entra ID Administrative Units
On September 17, 2024, a new research paper presented at fwd Europe by security researcher Katie Knowles revealed novel techniques for maintaining hidden persistence within Microsoft Entra ID environments.
Introduction
On September 17, 2024, a new research paper presented at fwd Europe by security researcher Katie Knowles revealed novel techniques for maintaining hidden persistence within Microsoft Entra ID environments. The research highlights how attackers can leverage Administrative Units (AUs) to remain undetected in compromised systems, using features like restricted management and hidden membership.
Report Overview
Microsoft Entra ID's Administrative Units (AUs) were designed to offer a way to scope administrative privileges over specific sets of users, groups, or devices. This scoping mechanism is intended to enhance security by applying least-privilege principles. However, Knowles and her team discovered that these same features can be used maliciously by attackers to maintain control over Entra ID environments. This "by design" functionality, while not a vulnerability, opens avenues for abuse if an attacker gains privileged access.
The research focuses on two core AU features: restricted management and hidden membership. These tools, meant for hardening environments, can also be exploited for long-term persistence:
- Restricted Management AUs:
Restricted AUs ensure that only specific administrators with scoped roles can modify sensitive accounts. Attackers can use this feature to prevent global administrators from resetting passwords or modifying accounts. By placing a backdoor account into a restricted AU, attackers effectively lock it from tampering, even by tenant-level admins. - Hidden Membership AUs:
Hidden AUs conceal their membership, only visible to certain privileged roles like Global Administrator. By using hidden AUs, attackers can stealthily assign administrative privileges without detection. This is particularly effective in concealing the scope of access granted to backdoor accounts, making it difficult for security teams to identify compromised accounts.
Insights and Analysis
The abuse of AUs can lead to a highly resilient backdoor, where even senior administrators struggle to detect or remove attacker-controlled accounts. If attackers can hide both the accounts and the privileges granted to them, they can effectively undermine the security of the entire tenant. These techniques highlight the need for continuous monitoring and advanced auditing of AU activities to mitigate the potential damage.
The research emphasizes that these tactics do not represent a vulnerability in Microsoft Entra ID. Instead, they demonstrate how attackers can abuse legitimate features to maintain persistence. The use of tools like Stratus Red Team to simulate these attacks further underscores the need for organizations to be proactive in monitoring AU usage.
To defend against these types of persistence tactics, security teams must regularly audit the creation and management of AUs, review scoped role assignments, and ensure that logs are actively monitored for unusual activities. Microsoft provides guidance on AU management, but organizations should develop specific remediation playbooks to handle malicious AU abuse. Regular training and updated security policies are essential to ensure that these features are used responsibly and effectively.
Preventative Measures
- Monitor Entra ID audit logs for unusual AU activities.
- Limit the number of administrators with access to create or modify AUs.
- Implement robust detection mechanisms for hidden memberships and scoped role assignments.
By understanding the potential misuse of AUs, organizations can better protect their cloud environments from advanced persistence threats.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| No specific Indicators of Compromise (IOCs) were provided in the source material. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Persistence | Account Manipulation | T1098 | Abuse of Administrative Units (AUs) to create backdoor accounts. |
| Defense Evasion | Hidden Users | T1078.003 | Concealing AU membership to evade detection by security roles. |
| Privilege Escalation | Abuse Elevation Control Mechanisms | T1548.002 | Use of hidden and restricted AUs to maintain elevated privileges. |
| Credential Access | Account Discovery | T1087 | Discovering and manipulating accounts within Administrative Units. |
| Defense Evasion | Obfuscated Administrative Privileges | T1562.001 | Concealing scoped role assignments through hidden membership AUs. |
References
Katie Knowles Security Researcher
Comments ()