Adversaries may attempt to modify registry keys associated with the Azure AD Health Monitoring Agent to disable or manipulate its functionality, which could allow persistence or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering with critical monitoring components and prevent unauthorized system modifications.
Detection Rule
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
imRegistry
| where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent" and (not((ActingProcessName contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or ActingProcessName contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or ActingProcessName contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or ActingProcessName contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or ActingProcessName contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe")))Scenario: Scheduled Task for Azure AD Health Agent Maintenance
Description: A legitimate scheduled task runs to update or maintain the Azure AD Health Monitoring Agent registry keys.
Filter/Exclusion: Check for EventID=41 with TaskName containing “AzureADHealthAgent” or “MicrosoftAzureADHealth” to exclude routine maintenance.
Scenario: Admin Task to Configure Azure AD Agent Settings
Description: An administrator manually modifies the registry settings for the Azure AD Health Monitoring Agent during routine configuration.
Filter/Exclusion: Filter events where the SubjectUserName matches known admin accounts and EventID=41 with RegistryKey matching known agent configuration paths.
Scenario: PowerShell Script for Agent Configuration
Description: A PowerShell script (e.g., Set-AzureADHealthAgentConfig) is used to configure the agent, which may access the registry.
Filter/Exclusion: Filter events where the ProcessName is powershell.exe and the command line includes known agent configuration scripts or cmdlets.
Scenario: Group Policy Update Affecting Agent Settings
Description: A Group Policy update modifies registry keys related to the Azure AD Health Monitoring Agent.
Filter/Exclusion: Filter events where the EventID=41 is associated with a Group Policy update (EventID=41 with ProcessName containing “gpolusr.exe” or “gpupdate.exe”).
Scenario: Third-Party Tool for System Monitoring
Description: A third-party system monitoring tool (e.g., SolarWinds, Nagios) accesses the registry to check the status of the Azure AD Health Monitoring Agent.
Filter/Exclusion: Filter events where the ProcessName matches known third-party monitoring tools or where the RegistryKey is known to be accessed by