legitimate ad fs servers added to an aad health ad fs service instance

t1578
azure
sigma

Techniques

t1578

Sample rules

Azure Active Directory Hybrid Health AD FS New Server

source: sigma
technicques:
- t1578

Description

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Detection logic

condition: selection
selection:
  CategoryValue: Administrative
  OperationNameValue: Microsoft.ADHybridHealthService/services/servicemembers/action
  ResourceId|contains: AdFederationService
  ResourceProviderValue: Microsoft.ADHybridHealthService