Since March 2021, the Azure AD Connect Health agent also sends AD FS sign-in and sign-out events to Azure AD. The Azure AD Connect Health agent allows configuration and health information from on-premises AD FS servers to be monitored centrally in Azure AD. CTU researchers verified that the change addressed the issue. ![]() ![]() Microsoft confirmed the behavior on June 16 and released a "fix" on July 7. If the threat actor can extract the credentials that the agent uses to authenticate to Azure AD, they could tamper with Azure AD sign-ins log events or pollute the sign-in log with fake sign-in events to hide unauthorized authentication events.ĬTU™ researchers reported the flaw to Microsoft on May 31. This research revealed a flaw in the protocol that could be exploited by a threat actor who has local administrator access to the AD FS server. In late May 2021, Secureworks ® Counter Threat Unit™ (CTU) researchers investigated the protocol that the Azure Active Directory (AD) Connect Health agent for AD Federation Services (AD FS) uses to send AD FS sign-in events to Azure AD.
0 Comments
Leave a Reply. |