DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Sigma rule (View on GitHub)
1title: DNS HybridConnectionManager Service Bus
2id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
3status: test
4description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
5references:
6 - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8date: 2021-04-12
9modified: 2023-01-16
10tags:
11 - attack.persistence
12 - attack.t1554
13logsource:
14 product: windows
15 category: dns_query
16detection:
17 selection:
18 QueryName|contains: 'servicebus.windows.net'
19 Image|contains: 'HybridConnectionManager'
20 condition: selection
21falsepositives:
22 - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
23level: high
References
Related rules
- HybridConnectionManager Service Installation
- HybridConnectionManager Service Running
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain