Skip to content

Hide Navigation Hide TOC

Azure Active Directory Hybrid Health AD FS Service Delete (48739819-8230-4ee3-a8ea-e0289d1fb0ff)

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Cluster A Galaxy A Cluster B Galaxy B Level
Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern Azure Active Directory Hybrid Health AD FS Service Delete (48739819-8230-4ee3-a8ea-e0289d1fb0ff) Sigma-Rules 1
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 2