Detection rules › Kusto Query Language

Microsoft Entra ID Health Service Agents Registry Keys Access

Author: Microsoft Security Research
Source: upstream

'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml '

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1005` Data from Local System

Event coverage

Provider	Event ID	Title
Security-Auditing	4656	A handle to an object was requested.
Security-Auditing	4663	An attempt was made to access an object.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 4 branches

Microsoft Entra ID Health Service Agents Registry Keys Access

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`

Keyboard Shortcuts

Microsoft Entra ID Health Service Agents Registry Keys Access

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: extend

Stage 4: extend

Stage 5: extend

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`