139 строки
6.2 KiB
YAML
139 строки
6.2 KiB
YAML
id: f819c592-c5f9-4d5c-a79f-1e6819863533
|
|
name: Microsoft Entra ID Health Monitoring Agent Registry Keys Access
|
|
description: |
|
|
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent.
|
|
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
|
|
You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
|
|
'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
- connectorId: WindowsSecurityEvents
|
|
dataTypes:
|
|
- SecurityEvents
|
|
- connectorId: WindowsForwardedEvents
|
|
dataTypes:
|
|
- WindowsEvent
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Collection
|
|
relevantTechniques:
|
|
- T1005
|
|
tags:
|
|
- SimuLand
|
|
query: |
|
|
// ADHealth Monitoring Agent Registry Key
|
|
let aadHealthMonAgentRegKey = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent";
|
|
// Filter out known processes
|
|
let aadConnectHealthProcs = dynamic ([
|
|
'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',
|
|
'Microsoft.Identity.Health.Adfs.InsightsService.exe',
|
|
'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',
|
|
'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',
|
|
'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe',
|
|
'Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe',
|
|
'Microsoft.Identity.AadConnect.Health.AadSync.Host.exe',
|
|
'Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe',
|
|
'miiserver.exe'
|
|
]);
|
|
(union isfuzzy=true
|
|
(
|
|
SecurityEvent
|
|
| where EventID == '4656'
|
|
| where EventData has aadHealthMonAgentRegKey
|
|
| extend EventData = parse_xml(EventData).EventData.Data
|
|
| mv-expand bagexpansion=array EventData
|
|
| evaluate bag_unpack(EventData)
|
|
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
|
|
| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)
|
|
| extend ObjectName = column_ifexists("ObjectName", ""),
|
|
ObjectType = column_ifexists("ObjectType", "")
|
|
| where ObjectType == 'Key'
|
|
| where ObjectName == aadHealthMonAgentRegKey
|
|
| extend SubjectUserName = column_ifexists("SubjectUserName", ""),
|
|
SubjectDomainName = column_ifexists("SubjectDomainName", ""),
|
|
ProcessName = column_ifexists("ProcessName", "")
|
|
| extend Process = split(ProcessName, '\\', -1)[-1],
|
|
Account = strcat(SubjectDomainName, "\\", SubjectUserName)
|
|
| where Process !in (aadConnectHealthProcs)
|
|
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName
|
|
),
|
|
(
|
|
WindowsEvent
|
|
| where EventID == '4656' and EventData has aadHealthMonAgentRegKey
|
|
| extend ObjectType = tostring(EventData.ObjectType)
|
|
| where ObjectType == 'Key'
|
|
| extend ObjectName = tostring(EventData.ObjectName)
|
|
| where ObjectName == aadHealthMonAgentRegKey
|
|
| extend ProcessName = tostring(EventData.ProcessName)
|
|
| extend Process = tostring(split(ProcessName, '\\')[-1])
|
|
| where Process !in (aadConnectHealthProcs)
|
|
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
|
|
| extend SubjectUserName = tostring(EventData.SubjectUserName)
|
|
| extend SubjectDomainName = tostring(EventData.SubjectDomainName)
|
|
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName
|
|
),
|
|
(
|
|
SecurityEvent
|
|
| where EventID == '4663'
|
|
| where ObjectType == 'Key'
|
|
| where ObjectName == aadHealthMonAgentRegKey
|
|
| extend Process = tostring(split(ProcessName, '\\', -1)[-1])
|
|
| where Process !in (aadConnectHealthProcs)
|
|
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName
|
|
),
|
|
(
|
|
WindowsEvent
|
|
| where EventID == '4663' and EventData has aadHealthMonAgentRegKey
|
|
| extend ObjectType = tostring(EventData.ObjectType)
|
|
| where ObjectType == 'Key'
|
|
| extend ObjectName = tostring(EventData.ObjectName)
|
|
| where ObjectName == aadHealthMonAgentRegKey
|
|
| extend ProcessName = tostring(EventData.ProcessName)
|
|
| extend Process = tostring(split(ProcessName, '\\')[-1])
|
|
| where Process !in (aadConnectHealthProcs)
|
|
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
|
|
| extend SubjectUserName = tostring(EventData.SubjectUserName)
|
|
| extend SubjectDomainName = tostring(EventData.SubjectDomainName)
|
|
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName
|
|
)
|
|
)
|
|
// You can filter out potential machine accounts
|
|
//| where AccountType != 'Machine'
|
|
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
|
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
|
| extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])
|
|
| project-away DomainIndex
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: Account
|
|
- identifier: Name
|
|
columnName: Name
|
|
- identifier: NTDomain
|
|
columnName: NTDomain
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: Computer
|
|
- identifier: HostName
|
|
columnName: HostName
|
|
- identifier: DnsDomain
|
|
columnName: HostNameDomain
|
|
version: 1.1.6
|
|
kind: Scheduled
|
|
metadata:
|
|
source:
|
|
kind: Community
|
|
author:
|
|
name: Microsoft Security Research
|
|
support:
|
|
tier: Community
|
|
categories:
|
|
domains: [ "Security - Others", "Identity" ] |