{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1578.003/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1578.003","azure"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAn attacker can create a new AD Health ADFS service and a fake server to spoof AD FS signing logs. This involves adding a rogue AD FS service to Azure AD Hybrid Health. Once the attacker no longer requires the spoofed logs, they may delete the service to remove traces of their activity or to hinder investigations. This is achieved via HTTP requests to Azure, specifically targeting the deletion of the AD FS service instance. This activity is logged within Azure Activity Logs, providing an opportunity for detection. Defenders should monitor for unexpected deletions of AD FS service instances within their Azure AD environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure tenant with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker provisions a new, rogue AD FS service within the Azure AD Hybrid Health Service.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a fake server or modifies an existing one to generate spoofed AD FS signing logs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spoofed logs to conduct malicious activity, potentially bypassing security controls.\u003c/li\u003e\n\u003cli\u003eOnce the malicious activity is complete, the attacker initiates the deletion of the rogue AD FS service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to Azure to delete the service using the \u003ccode\u003eMicrosoft.ADHybridHealthService/services/delete\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record the deletion event with CategoryValue set to \u0026lsquo;Administrative\u0026rsquo; and ResourceProviderValue as \u0026lsquo;Microsoft.ADHybridHealthService\u0026rsquo;.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the AD FS service instance can hinder forensic investigations and potentially mask malicious activity within the Azure AD environment. This can lead to delayed incident response and make it more difficult to identify the source and scope of the attack. The impact depends on the sophistication of the attacker and the extent to which they leveraged the spoofed logs for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the deletion of AD FS service instances in Azure AD Hybrid Health (Azure Activity Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eMicrosoft.ADHybridHealthService/services/delete\u003c/code\u003e operations where the \u003ccode\u003eResourceId\u003c/code\u003e contains \u003ccode\u003eAdFederationService\u003c/code\u003e in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for unexpected or unauthorized modifications to AD FS service configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-azuread-adfs-delete/","summary":"Threat actors may delete Azure AD Hybrid Health AD FS service instances after using them to spoof AD FS signing logs for defense evasion.","title":"Azure AD Hybrid Health AD FS Service Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-adfs-delete/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1578.003","version":"https://jsonfeed.org/version/1.1"}