mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
38 lines
1.7 KiB
YAML
38 lines
1.7 KiB
YAML
title: Azure AD Health Service Agents Registry Keys Access
|
|
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
|
|
description: |
|
|
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
|
|
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
|
|
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
|
|
Make sure you set the SACL to propagate to its sub-keys.
|
|
status: experimental
|
|
date: 2021/08/26
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1012
|
|
references:
|
|
- https://o365blog.com/post/hybridhealthagent/
|
|
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 4656
|
|
- 4663
|
|
ObjectType: 'Key'
|
|
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent'
|
|
filter:
|
|
ProcessName|contains:
|
|
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
|
|
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
|
|
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
|
|
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
|
|
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|