HybridConnectionManager Service Installation - Registry

calendar Oct 17, 2023 · attack.resource_development attack.t1608  ·
Share on: linkedin copy

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

Sigma rule (View on GitHub)

 1title: HybridConnectionManager Service Installation - Registry
 2id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
 3status: test
 4description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
 5references:
 6    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2021/04/12
 9modified: 2022/11/27
10tags:
11    - attack.resource_development
12    - attack.t1608
13logsource:
14    category: registry_event
15    product: windows
16detection:
17    selection1:
18        TargetObject|contains: '\Services\HybridConnectionManager'
19    selection2:
20        EventType: SetValue
21        Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
22    condition: selection1 or selection2
23falsepositives:
24    - Unknown
25level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top