legitimate aad health ad fs service instances being deleted in a tenant

t1578
t1578.003
azure
sigma

Techniques

t1578
t1578.003

Sample rules

Azure Active Directory Hybrid Health AD FS Service Delete

source: sigma
technicques:
- t1578
- t1578.003

Description

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Detection logic

condition: selection
selection:
  CategoryValue: Administrative
  OperationNameValue: Microsoft.ADHybridHealthService/services/delete
  ResourceId|contains: AdFederationService
  ResourceProviderValue: Microsoft.ADHybridHealthService