Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Sigma rule (View on GitHub)

 1title: Azure AD Health Monitoring Agent Registry Keys Access
 2id: ff151c33-45fa-475d-af4f-c2f93571f4fe
 3status: test
 4description: |
 5    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
 6    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.    
 7references:
 8    - https://o365blog.com/post/hybridhealthagent/
 9    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
11date: 2021/08/26
12modified: 2022/10/09
13tags:
14    - attack.discovery
15    - attack.t1012
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID:
22            - 4656
23            - 4663
24        ObjectType: 'Key'
25        ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
26    filter:
27        ProcessName|contains:
28            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
29            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
30            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
31            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
32            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
33    condition: selection and not filter
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top