Adversaries may attempt to modify or access registry keys associated with Azure AD Health service agents to compromise or manipulate authentication services. SOC teams should proactively hunt for this behavior to detect potential tampering with critical identity infrastructure in Azure Sentinel.
Detection Rule
title: Azure AD Health Service Agents Registry Keys Access
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
imRegistry
| where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent" and (not((ActingProcessName contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or ActingProcessName contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or ActingProcessName contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or ActingProcessName contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or ActingProcessName contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe")))Scenario: Scheduled Job Maintenance
Description: A system administrator runs a scheduled job to clean up old registry entries related to Azure AD Health service agents.
Filter/Exclusion: EventID=4103 (Registry Key Value Set) with User=Administrator and TaskName=Cleanup_AAD_Health_Regkeys
Scenario: Group Policy Update
Description: An IT admin updates Group Policy settings that affect Azure AD Health service agents, which may trigger registry access as part of the policy refresh.
Filter/Exclusion: EventID=4103 with User=Domain Admin and EventMessage contains "Group Policy"
Scenario: Azure AD Health Agent Self-Update
Description: The Azure AD Health service agent performs a self-update, which involves accessing and modifying its own registry keys.
Filter/Exclusion: EventID=4103 with User=NT AUTHORITY\SYSTEM and EventMessage contains "Health Agent Update"
Scenario: PowerShell Script for Monitoring
Description: A PowerShell script is used to monitor the status of Azure AD Health service agents, which may access registry keys during execution.
Filter/Exclusion: EventID=4103 with User=Service Account and EventMessage contains "PowerShell Script - AAD Health Monitoring"
Scenario: Security Software Scan
Description: A third-party security tool scans the registry for known malicious entries, and it accesses registry keys associated with Azure AD Health agents.
Filter/Exclusion: EventID=4103 with User=Security Software Service Account and EventMessage contains "Registry Scan"