EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

MITRE ATT&CK

T1012
discovery

Detection Query

selection:
  EventID:
    - 4656
    - 4663
  ObjectType: Key
  ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft
    Online\Reporting\MonitoringAgent
filter:
  ProcessName|contains:
    - Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe
    - Microsoft.Identity.Health.Adfs.InsightsService.exe
    - Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe
    - Microsoft.Identity.Health.Adfs.PshSurrogate.exe
    - Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe
condition: selection and not filter

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC

Created

2021-08-26

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.discoveryattack.t1012
Raw Content
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
status: test
description: |
    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
references:
    - https://o365blog.com/post/hybridhealthagent/
    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.t1012
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectType: 'Key'
        ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
    filter:
        ProcessName|contains:
            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium