HybridConnectionManager Service Installation

 1title: HybridConnectionManager Service Installation
 2id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
 3status: test
 4description: Rule to detect the Hybrid Connection Manager service installation.
 5references:
 6    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2021-04-12
 9modified: 2022-10-09
10tags:
11    - attack.persistence
12    - attack.t1554
13logsource:
14    product: windows
15    service: security
16    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
17detection:
18    selection:
19        EventID: 4697
20        ServiceName: HybridConnectionManager
21        ServiceFileName|contains: HybridConnectionManager
22    condition: selection
23falsepositives:
24    - Legitimate use of Hybrid Connection Manager via Azure function apps.
25level: high