Entra ID's Administrative Units (AU) are great for defenders… and for attackers! AUs are a useful method for creating scoped Entra ID role assignments. However, this scoping also offers juicy new methods for anyone looking to persist quietly in an Azure tenant: Obscure parameters can hide AU membership, and restrictions can prevent removal of malicious accounts. AUs are a globally-enabled tenant feature. Are you prepared to keep an eye on them?
I recently had the opportunity to contribute to Stratus Red Team as a part of my research into Entra ID administrative units. Open-source contributions can feel daunting if you haven’t been through them before...
0-click macOS RCE (@Turmio_), sudo iptables LPE (@suidpit + @smaury92), SkeletonCookie ☠️🍪 (@buffaloverflow), and more!