{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ad-fs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","AD FS"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","adfs","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the creation of a rogue AD FS service instance within the Azure AD Hybrid Health Service to spoof AD FS signing logs. The attacker leverages the Azure AD Hybrid Health Service to create a new AD FS service and adds a fake server instance. This method allows the attacker to manipulate AD FS logging information without needing to compromise an on-premises AD FS server. The attack can be performed programmatically through HTTP requests to Azure, making it scalable and difficult to trace back to traditional on-premises attack vectors. This technique is particularly concerning because it undermines the integrity of AD FS logs, a crucial component for security monitoring and incident response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Azure Account:\u003c/strong\u003e The attacker gains access to an Azure account, potentially through stolen credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProvision Rogue AD Health Service:\u003c/strong\u003e The attacker programmatically provisions a new AD Health Service within the compromised Azure environment, specifically targeting AD FS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCreate Fake Server Instance:\u003c/strong\u003e Within the newly created AD Health Service, the attacker creates a fake server instance, mimicking a legitimate AD FS server. The \u003ccode\u003eResourceId\u003c/code\u003e will contain \u003ccode\u003eAdFederationService\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eManipulate Logs:\u003c/strong\u003e Using the fake server instance, the attacker injects or alters AD FS signing logs, creating a false narrative of user authentication events.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpersonate Users/Bypass Authentication:\u003c/strong\u003e The attacker uses the manipulated logs to impersonate legitimate users or bypass authentication controls in applications relying on AD FS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation:\u003c/strong\u003e Using the falsely acquired credentials or authentication tokens, the attacker moves laterally within the network, escalating privileges to access sensitive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/System Compromise:\u003c/strong\u003e The attacker exfiltrates sensitive data or gains control over critical systems using the compromised accounts and manipulated logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to spoof AD FS signing logs, potentially leading to unauthorized access, data breaches, and system compromise. The compromised logs can be used to cover the attacker\u0026rsquo;s tracks, making detection and incident response more difficult. Organizations relying on Azure AD Hybrid Health for AD FS monitoring are at risk of having their security posture undermined. The number of potential victims is substantial, as many organizations use AD FS for authentication and rely on its logs for security monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Active Directory Hybrid Health AD FS New Server\u003c/code\u003e to your SIEM to detect the creation of new AD FS server instances within the Azure AD Hybrid Health Service. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for any unusual activity related to the \u003ccode\u003eMicrosoft.ADHybridHealthService\u003c/code\u003e resource provider and the \u003ccode\u003eMicrosoft.ADHybridHealthService/services/servicemembers/action\u003c/code\u003e operation, specifically the \u003ccode\u003eAdministrative\u003c/code\u003e category.\u003c/li\u003e\n\u003cli\u003eReview and validate all AD FS server instances registered within the Azure AD Hybrid Health Service to ensure their legitimacy.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to prevent unauthorized access and mitigate the risk of initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-azuread-adfs-spoofing/","summary":"A threat actor can create a new, rogue AD Health ADFS service within Azure and then create a fake server instance, which can be leveraged to spoof AD FS signing logs without compromising on-prem AD FS servers.","title":"Spoofing AD FS Signing Logs via Azure AD Hybrid Health Service","url":"https://feed.craftedsignal.io/briefs/2024-01-23-azuread-adfs-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed — AD FS","version":"https://jsonfeed.org/version/1.1"}