Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence | Datadog Security Labs
Tags
attack-pattern: Direct Credentials - T1589.001 Hybrid Identity - T1556.007 Sharepoint - T1213.002
Show in Graph
Common Information
Type Value
UUID ae8c2eae-689b-49cf-b50a-e86fb89057a9
Fingerprint b5339a9a58e6e2dd
Analysis status DONE
Considered CTI value 0
Text language
Published Sept. 16, 2024, midnight
Added to db Sept. 16, 2024, 4:27 p.m.
Last updated Nov. 6, 2024, 4:12 p.m.
Headline Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence
Title Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence | Datadog Security Labs
Detected Hints/Tags/Attributes 49/1/9
Source URLs
Redirection Url
Details Source https://securitylabs.datadoghq.com/articles/abusing-entra-id-administrative-units/
URL Provider
Details Provider Source level domain
Details datadoghq.com securitylabs.datadoghq.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 230 Datadog Security Labs https://securitylabs.datadoghq.com/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 32 
graph.microsoft.com
Details Domain 27 
portal.azure.com
Details Domain 9 
datadoghq.com
Details Domain 2 
microsoft.directory
Details Domain 1 
administrativeunit.read
Details Domain 4 
directory.read
Details Email 9 
securitylabs@datadoghq.com
Details Url 1 
https://graph.microsoft.com/v1.0/directory/administrativeunits
Details Url 1 
https://portal.azure.com/#view