Azure Active Directory Hybrid Health AD FS Service Delete
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
Sigma rule (View on GitHub)
1title: Azure Active Directory Hybrid Health AD FS Service Delete
2id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
3status: test
4description: |
5 This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
6 A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
7 The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
8references:
9 - https://o365blog.com/post/hybridhealthagent/
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
11date: 2021-08-26
12modified: 2023-10-11
13tags:
14 - attack.defense-impairment
15 - attack.t1578.003
16logsource:
17 product: azure
18 service: activitylogs
19detection:
20 selection:
21 CategoryValue: 'Administrative'
22 ResourceProviderValue: 'Microsoft.ADHybridHealthService'
23 ResourceId|contains: 'AdFederationService'
24 OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
25 condition: selection
26falsepositives:
27 - Legitimate AAD Health AD FS service instances being deleted in a tenant
28level: medium
References
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- AD Object WriteDAC Access
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux