Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Sigma rule (View on GitHub)
1title: Azure AD Health Monitoring Agent Registry Keys Access
2id: ff151c33-45fa-475d-af4f-c2f93571f4fe
3status: test
4description: |
5 This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
6 This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
7references:
8 - https://o365blog.com/post/hybridhealthagent/
9 - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
11date: 2021-08-26
12modified: 2022-10-09
13tags:
14 - attack.discovery
15 - attack.t1012
16logsource:
17 product: windows
18 service: security
19detection:
20 selection:
21 EventID:
22 - 4656
23 - 4663
24 ObjectType: 'Key'
25 ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
26 filter:
27 ProcessName|contains:
28 - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
29 - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
30 - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
31 - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
32 - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
33 condition: selection and not filter
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- Azure AD Health Service Agents Registry Keys Access
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Potential Baby Shark Malware Activity
- Potential Configuration And Service Reconnaissance Via Reg.EXE