09-17, 10:55–11:15 (Europe/Brussels), Main Room
Entra ID's Administrative Units (AU) are great for defenders… and for attackers! AUs are a useful method for creating scoped Entra ID role assignments. However, this scoping also offers juicy new methods for anyone looking to persist quietly in an Azure tenant: Obscure parameters can hide AU membership, and restrictions can prevent removal of malicious accounts. AUs are a globally-enabled tenant feature. Are you prepared to keep an eye on them?
We'll start by reviewing Azure permissions, Entra ID role assignment, and the advantages AUs can provide. Then, we'll demonstrate scenarios where an attacker can leverage them for invisible, privileged tenant persistence. We'll conclude with detection, remediation, and reflections on these double-edged features of user administration. Emulation of these techniques will be available in Stratus Red Team alongside this talk.
Katie Knowles is a Security Researcher at Datadog, focused on Azure research. Through her past roles, Katie has had the chance to approach security as both an attacker and defender, from incident response and detection engineering to penetration testing. She holds Azure (AZ-104, AZ-500) and offensive security (OSCP, GPEN) certifications.