HybridConnectionManager Service Installation
Rule to detect the Hybrid Connection Manager service installation.
Sigma rule (View on GitHub)
1title: HybridConnectionManager Service Installation
2id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
3status: test
4description: Rule to detect the Hybrid Connection Manager service installation.
5references:
6 - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8date: 2021/04/12
9modified: 2022/10/09
10tags:
11 - attack.persistence
12 - attack.t1554
13logsource:
14 product: windows
15 service: security
16 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
17detection:
18 selection:
19 EventID: 4697
20 ServiceName: HybridConnectionManager
21 ServiceFileName|contains: HybridConnectionManager
22 condition: selection
23falsepositives:
24 - Legitimate use of Hybrid Connection Manager via Azure function apps.
25level: high
References
Related rules
- HybridConnectionManager Service Running
- Persistence and Execution at Scale via GPO Scheduled Task
- Remote Service Activity via SVCCTL Named Pipe
- Remote Task Creation via ATSVC Named Pipe
- Windows Network Access Suspicious desktop.ini Action