Merge pull request #635 from siigil/katie.knowles/au-todo-update

Update AU Documentation
DataDog · Feb 19, 2025 · 72c14e0 · 72c14e0
2 parents da1a353 + 8b735b3
commit 72c14e0
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 6 deletions.
diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md b/docs/attack-techniques/entra-id/entra-id.persistence.hidden-au.md
@@ -17,8 +17,7 @@ Platform: Entra ID
 ## Description
 
 
-Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU.
-This simulates an attacker that TODO.
+Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU. This simulates an attacker attempting to conceal the scope of a scoped role assignment using hidden AU membership.
 
 <span style="font-variant: small-caps;">Warm-up</span>:
 

diff --git a/docs/attack-techniques/entra-id/entra-id.persistence.restricted-au.md b/docs/attack-techniques/entra-id/entra-id.persistence.restricted-au.md
@@ -17,7 +17,7 @@ Platform: Entra ID
 ## Description
 
 
-Creates a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and place a backdoor account in it to simulate a protected attacker-controlled user.
+Creates a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and places a backdoor account in it to simulate a protected attacker-controlled user.
 
 <span style="font-variant: small-caps;">Warm-up</span>:
 

diff --git a/v2/internal/attacktechniques/entra-id/persistence/hidden-au/main.go b/v2/internal/attacktechniques/entra-id/persistence/hidden-au/main.go
@@ -21,8 +21,7 @@ func init() {
 		ID:           "entra-id.persistence.hidden-au",
 		FriendlyName: "Create Hidden Scoped Role Assignment Through HiddenMembership AU",
 		Description: `
-Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU.
-This simulates an attacker that TODO.
+Creates an [Administrative Unit (AU)](https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0) with hidden membership, and a scoped role assignment over this AU. This simulates an attacker attempting to conceal the scope of a scoped role assignment using hidden AU membership.
 
 Warm-up:
 

diff --git a/v2/internal/attacktechniques/entra-id/persistence/restricted-au/main.go b/v2/internal/attacktechniques/entra-id/persistence/restricted-au/main.go
@@ -21,7 +21,7 @@ func init() {
 		ID:           "entra-id.persistence.restricted-au",
 		FriendlyName: "Create Sticky Backdoor User Through Restricted Management AU",
 		Description: `
-Creates a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and place a backdoor account in it to simulate a protected attacker-controlled user.
+Creates a [restricted management Administrative Unit (AU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management), and places a backdoor account in it to simulate a protected attacker-controlled user.
 
 Warm-up: