Entra ID support + AU techniques (#566)

* Add Entra ID AU techniques.

* Add AU technique documentation.

* Terraform formatting fix.

* Fixed typo in Restricted AU account name.

* Fix typo in detonation step details

* Fix typo in detonatin step details

* Add error handling for Graph client

* Update friendly names + remove unused codeBlock

* Modify Hidden AU technique to create Backdoor user during Detonation

* Update TF formatting

* Fixed err handling

* fix staticanalysis finding

* Add Entra ID provider and regenerate docs

* Fixed missing parenthesis in Hidden AU

* Remove extraneous err check

* Add Guest Invite techniqe, Entra ID Utils, + fix Hidden AU typo

* Fix function typo

* Add case in L46 to fix --platform entra-id option

* New attack technique (Entra ID): entra-id.persistence.new-application

* Apply suggestions from code review

* make docs

* Fix type in fmt.Sprintf

* New attack technique (Entra ID): entra-id.persistence.backdoor-application

* Update package names and regenerate docs

* Enhancements to entra-id.persistence.guest-user

* Enhancements to entra-id.persistence.restricted-au

* Enhancements to entra-id.persistence.hidden-au

* Refactor Entra ID attack techniques to be more consistent

* Update docs of entra-id.persistence.hidden-au

* New attack technique (Entra ID): entra-id.persistence.backdoor-application-sp

* make docs

* remove old azure docs

* avoid importing graphmodels twice

* bump MS Graph SDK

---------

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>

docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md

@@ -48,7 +48,7 @@ Through CloudTrail's <code>DescribeInstanceAttribute</code> event.
 
 See:
 
-* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/unsupported/cloud/aws_ec2_download_userdata.yml)
+* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
 
 
 ## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application-sp.md

@@ -0,0 +1,54 @@
+---
+title: Backdoor Entra ID application through service principal
+---
+
+# Backdoor Entra ID application through service principal
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors an existing Entra ID application by creating a new credential on the associated service principal.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an Entra ID application and associated service principal
+- Assign it the <code>Directory Readers</code> role at the tenant level (for illustration purposes)
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Backdoor the Entra ID application by creating a new credential on the associated service principal
+
+Notes: The warm-up mimics what happens when you create an App Registration through the Azure portal. 
+When you use the Azure portal, creating an App Registration automatically creates an associated service principal. 
+When using the Microsoft Graph API, the service principal needs to be created separately. 
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+- https://redfoxsec.com/blog/azure-privilege-escalation-via-service-principal/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.backdoor-application-sp
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the activity type <code>Add service principal credentials</code>.
+
+

docs/attack-techniques/entra-id/entra-id.persistence.backdoor-application.md

@@ -0,0 +1,54 @@
+---
+title: Backdoor Entra ID application
+---
+
+# Backdoor Entra ID application
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors an existing Entra ID application by creating a new password credential.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an Entra ID application and associated service principal
+- Assign it the <code>Directory Readers</code> role at the tenant level (for illustration purposes)
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Backdoor the Entra ID application by creating a new password credential
+
+Notes: The warm-up mimics what happens when you create an App Registration through the Azure portal. 
+When you use the Azure portal, creating an App Registration automatically creates an associated service principal. 
+When using the Microsoft Graph API, the service principal needs to be created separately. 
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+- https://redfoxsec.com/blog/azure-privilege-escalation-via-service-principal/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.backdoor-application
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the activity type <code>Update application – Certificates and secrets management</code>.
+
+

docs/attack-techniques/entra-id/entra-id.persistence.guest-user.md

@@ -0,0 +1,114 @@
+---
+title: Create Guest User
+---
+
+# Create Guest User
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Invites an external guest user in the tenant.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Invite guest user (without generating an invitation email)
+
+References:
+
+- https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/inviting-external-users/
+- https://derkvanderwoude.medium.com/azure-subscription-hijacking-and-cryptomining-86c2ac018983
+- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
+
+!!! note
+
+ By default, Stratus Red Team invites the e-mail <code>[email protected]</code>. However, you can override
+ this behavior by setting the environment variable <code>STRATUS_RED_TEAM_ATTACKER_EMAIL</code>, for instance:
+
+ ```bash
+ export STRATUS_RED_TEAM_ATTACKER_EMAIL="[email protected]"
+ stratus detonate entra-id.persistence.guest-user
+ ```
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.guest-user
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+- <code>Add user</code>
+- <code>Invite external user</code>
+- <code>Add user sponsor</code>
+
+When the invited user accepts the invite, an additional event <code>Redeem external user invite</code> is logged. 
+
+Sample events, shortened for clarity:
+
+```json
+{
+ "category": "UserManagement",
+ "result": "success",
+ "activityDisplayName": "Invite external user",
+ "loggedByService": "Invited Users",
+ "initiatedBy": {
+ "user": {
+ "userPrincipalName": "<[email protected]>",
+ }
+ },
+ "userAgent": "",
+ "targetResources": [
+ {
+ "displayName": "<invited user display name>",
+ "type": "User",
+ "userPrincipalName": "<invited-user-email>#EXT#@<tenant.tld>",
+ "groupType": null,
+ "modifiedProperties": []
+ }
+ ],
+ "additionalDetails": [
+ {
+ "key": "invitedUserEmailAddress",
+ "value": "<invited-user-email>"
+ }
+ ]
+}
+{
+ "category": "UserManagement",
+ "result": "success",
+ "resultReason": null,
+ "activityDisplayName": "Redeem external user invite",
+ "loggedByService": "B2B Auth",
+ "initiatedBy": {
+ "user": {
+ "userPrincipalName": "<invited-user-email>",
+ "ipAddress": "<invited-user-ip>"
+ }
+ },
+ "targetResources": [
+ {
+ "id": "d042c4fe-5dd1-44a2-883a-eede6c10608f",
+ "displayName": "UPN: <invited-user-email>#EXT#<tenant.tld>, Email: <invited-user-email>, InvitationId: 4c93fc70-169a-411f-8cf7-aff732f8c7b9, Source: One Time Passcode",
+ "type": "User",
+ "userPrincipalName": "<invited-user-email>#EXT#<tenant.tld>"
+ }
+ ]
+}
+```
+
+

docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md

@@ -0,0 +1,62 @@
+---
+title: Create Hidden Scoped Role Assignment Through HiddenMembership AU
+---
+
+# Create Hidden Scoped Role Assignment Through HiddenMembership AU
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU.
+This simulates an attacker that TODO.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create the target (victim) Entra ID user
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create an administrative unit with hidden membership
+- Create a backdoor Entra ID user
+- Add the target (victim) user to the administrative unit
+- Assign the backdoor user with Privileged Administration Administrator rights over the administrative unit
+
+This simulates an attacker that indirectly persists their access. 
+The backdoor user can now perform privileged operations over any user in the administrative unit, which can be used to escalate privileges or maintain access, for instance by resetting the target user's password.
+
+References:
+
+- https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
+
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.hidden-au
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+For <code>Service: Core Directory</code> and <code>Category: AdministrativeUnit</code>:
+
+- <code>Add administrative unit</code>
+- <code>Add member to administrative unit</code>
+
+For <code>Service: Core Directory</code> and <code>Category: RoleManagement</code>:
+
+- <code>Add scoped member to role</code>
+
+

docs/attack-techniques/entra-id/entra-id.persistence.new-application.md

@@ -0,0 +1,52 @@
+---
+title: Create Application
+---
+
+# Create Application
+
+
+
+
+Platform: Entra ID
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Creates a new Entra ID application to backdoor the tenant.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create a new Entra ID application
+- Create a password credential for the application
+- Create a service principal for the application
+- Assign the Global Administrator role to the application
+- Print the command to retrieve a Graph API access token
+
+References:
+
+- https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
+- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate entra-id.persistence.new-application
+```
+## Detection
+
+
+Using [Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs) with the specific activity types:
+
+- <code>Add application</code>
+- <code>Update application – Certificates and secrets management</code>
+- <code>Add member to role</code>
+
+