Skip to content

Hide Navigation Hide TOC

Azure AD Health Monitoring Agent Registry Keys Access (ff151c33-45fa-475d-af4f-c2f93571f4fe)

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Cluster A Galaxy A Cluster B Galaxy B Level
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Azure AD Health Monitoring Agent Registry Keys Access (ff151c33-45fa-475d-af4f-c2f93571f4fe) Sigma-Rules 1