Blue Team

CRTH04 Attacking Azure Active Directory Under-The-Radar

11/16/2023

9:30am - 10:45am

Level: Intermediate to Advanced

Nestori Syynimaa

Senior Principal Security Researcher

Secureworks

Many companies have moved their workloads to the cloud in the last few years. Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management solution protecting Microsoft Azure, Microsoft 365 services, and thousands of third-party services. Of Fortune 500 companies, 88 per cent have adopted Azure AD. The high adoption rate makes Azure AD a tempting target for threat actors.

From the detection and response point of view, one disadvantage of cloud services is that not all logs are available to customers. In Azure AD, detection and response are mainly based on information available at audit and sign-in logs. On the other hand, a clear advantage of cloud services is that administrators cannot tamper with these logs. This helps organizations preserve the audit trail required by many regulations and laws.

But can sign-in and audit logs be trusted? Is the available information correct? Are all actions logged properly? The short answer is no, not really.

This talk will cover techniques rogue administrators can use to spoof sign-in log, make modifications not logged in the audit log, and perform undetected denial-of-service and arbitrary code execution attacks. Finally, we will cover how to detect and protect against these attacks (where applicable).

You will learn:

  • Understand various methods to attack Azure AD under-the-radar
  • How to detect these attacks (where applicable)
  • How to protect against these attacks (where applicable)