DNS HybridConnectionManager Service Bus

calendar Jan 17, 2023 · attack.persistence attack.t1554  ·
Share on: linkedin copy

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Sigma rule (View on GitHub)

 1title: DNS HybridConnectionManager Service Bus
 2id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
 3status: test
 4description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
 5references:
 6    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2021/04/12
 9modified: 2023/01/16
10tags:
11    - attack.persistence
12    - attack.t1554
13logsource:
14    product: windows
15    category: dns_query
16detection:
17    selection:
18        QueryName|contains: 'servicebus.windows.net'
19        Image|contains: 'HybridConnectionManager'
20    condition: selection
21falsepositives:
22    - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
23level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top