Azure Active Directory Hybrid Health AD FS Service Delete

calendar Oct 12, 2023 · attack.defense_evasion attack.t1578.003  ·
Share on: linkedin copy

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Sigma rule (View on GitHub)

 1title: Azure Active Directory Hybrid Health AD FS Service Delete
 2id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
 3status: test
 4description: |
 5    This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
 6    A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
 7    The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.    
 8references:
 9    - https://o365blog.com/post/hybridhealthagent/
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
11date: 2021/08/26
12modified: 2023/10/11
13tags:
14    - attack.defense_evasion
15    - attack.t1578.003
16logsource:
17    product: azure
18    service: activitylogs
19detection:
20    selection:
21        CategoryValue: 'Administrative'
22        ResourceProviderValue: 'Microsoft.ADHybridHealthService'
23        ResourceId|contains: 'AdFederationService'
24        OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
25    condition: selection
26falsepositives:
27    - Legitimate AAD Health AD FS service instances being deleted in a tenant
28level: medium

References

  • Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

    Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers. Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021, also AD FS sign-in events are gathered and sent to Azure AD. In this write-up (based on a Threat Analysis report by Secureworks), I’ll explain how anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log. Moreover, I’ll show how Global Administrators can register fake agents to Azure AD - even for tenants not using AD FS at all.


    Read More

Related rules

to-top