HybridConnectionManager Service Installation - Registry
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
Sigma rule (View on GitHub)
1title: HybridConnectionManager Service Installation - Registry
2id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
3status: test
4description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
5references:
6 - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8date: 2021-04-12
9modified: 2022-11-27
10tags:
11 - attack.resource-development
12 - attack.t1608
13logsource:
14 category: registry_event
15 product: windows
16detection:
17 selection1:
18 TargetObject|contains: '\Services\HybridConnectionManager'
19 selection2:
20 EventType: SetValue
21 Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
22 condition: selection1 or selection2
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Bitbucket Unauthorized Access To A Resource
- Bitbucket Unauthorized Full Data Export Triggered
- Conti Volume Shadow Listing
- Creation of a Diagcab
- FoggyWeb Backdoor DLL Loading