HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
Sigma rule (View on GitHub)
1title: HybridConnectionManager Service Running
2id: b55d23e5-6821-44ff-8a6e-67218891e49f
3status: test
4description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
5references:
6 - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8date: 2021-04-12
9modified: 2024-08-05
10tags:
11 - attack.persistence
12 - attack.t1554
13logsource:
14 product: windows
15 service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date
16detection:
17 selection:
18 EventID:
19 - 40300
20 - 40301
21 - 40302
22 keywords:
23 - 'HybridConnection'
24 - 'sb://'
25 - 'servicebus.windows.net'
26 - 'HybridConnectionManage'
27 condition: selection and keywords
28falsepositives:
29 - Legitimate use of Hybrid Connection Manager via Azure function apps.
30level: high
References
Related rules
- DNS HybridConnectionManager Service Bus
- HybridConnectionManager Service Installation
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain