Detectionmediumtest
Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTICCreated Thu Aug 26Updated Sun Oct 09ff151c33-45fa-475d-af4f-c2f93571f4fewindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filterFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
ff151c33-45fa-475d-af4f-c2f93571f4fe
Status
test
Level
medium
Type
Detection
Created
Thu Aug 26
Modified
Sun Oct 09
Path
rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml
Raw Tags
attack.discoveryattack.t1012