![]() In Azure AD, there are distinct logs for different types of sign-ins. This behavior represents abuse of legitimate functionality, not a vulnerability in the platform. For example, a threat actor could hide unauthorized activity within a flood of spoofed log events. However, the AD FS sign-in events are included in the standard Azure AD sign-ins log alongside sign-in events not sourced from AD FS.Īfter compromising an AD FS server, attackers could spoof the sign-ins log with fake sign-in events. This log cannot be viewed directly from the Azure portal and requires an Azure subscription to be viewed in Log Analytics. Within Azure AD, the sign-in events are stored in the ADFSSignInLogs log. The agent collects the sign-in events from the Windows Security log on the AD FS server, sends them to Azure Blob storage, and sends a notification using Azure Service Bus. Since March 2021, the Azure AD Connect Health agent also sends AD FS sign-in and sign-out events to Azure AD. The Azure AD Connect Health agent allows configuration and health information from on-premises AD FS servers to be monitored centrally in Azure AD. CTU researchers verified that the change addressed the issue. Microsoft confirmed the behavior on June 16 and released a "fix" on July 7. If the threat actor can extract the credentials that the agent uses to authenticate to Azure AD, they could tamper with Azure AD sign-ins log events or pollute the sign-in log with fake sign-in events to hide unauthorized authentication events.ĬTU™ researchers reported the flaw to Microsoft on May 31. ![]() This research revealed a flaw in the protocol that could be exploited by a threat actor who has local administrator access to the AD FS server. In late May 2021, Secureworks ® Counter Threat Unit™ (CTU) researchers investigated the protocol that the Azure Active Directory (AD) Connect Health agent for AD Federation Services (AD FS) uses to send AD FS sign-in events to Azure AD. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |