Detectionmediumtest
Azure Active Directory Hybrid Health AD FS New Server
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTICCreated Thu Aug 26Updated Wed Oct 11288a39fc-4914-4831-9ada-270e9dc12cb4cloud
Log Source
Azureactivitylogs
ProductAzure← raw: azure
Serviceactivitylogs← raw: activitylogs
Detection Logic
Detection Logic1 selector
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selectionFalse Positives
Legitimate AD FS servers added to an AAD Health AD FS service instance
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
288a39fc-4914-4831-9ada-270e9dc12cb4
Status
test
Level
medium
Type
Detection
Created
Thu Aug 26
Modified
Wed Oct 11
Path
rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml
Raw Tags
attack.defense-evasionattack.t1578