Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Sigma rule (View on GitHub)
1title: Azure AD Health Monitoring Agent Registry Keys Access
2id: ff151c33-45fa-475d-af4f-c2f93571f4fe
3status: test
4description: |
5 This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
6 This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
7references:
8 - https://o365blog.com/post/hybridhealthagent/
9 - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
11date: 2021-08-26
12modified: 2022-10-09
13tags:
14 - attack.discovery
15 - attack.t1012
16logsource:
17 product: windows
18 service: security
19detection:
20 selection:
21 EventID:
22 - 4656
23 - 4663
24 ObjectType: 'Key'
25 ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
26 filter:
27 ProcessName|contains:
28 - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
29 - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
30 - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
31 - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
32 - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
33 condition: selection and not filter
34falsepositives:
35 - Unknown
36level: medium
References
-
Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers. Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021, also AD FS sign-in events are gathered and sent to Azure AD. In this write-up (based on a Threat Analysis report by Secureworks), I’ll explain how anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log. Moreover, I’ll show how Global Administrators can register fake agents to Azure AD - even for tenants not using AD FS at all.
Read More -
Useful access control entries (ACE) on system access control list (SACL) of securable objects to find potential adversarial activity - OTRF/Set-AuditRule
Read More
Related rules
- Azure AD Health Service Agents Registry Keys Access
- HackTool - PCHunter Execution
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Potential Baby Shark Malware Activity