Detectionhightest

HybridConnectionManager Service Installation

Rule to detect the Hybrid Connection Manager service installation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Mon Apr 12Updated Sun Oct 090ee4d8a5-4e67-4faf-acfa-62a78457d1f2windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Detection Logic

detection:
    selection:
        EventID: 4697
        ServiceName: HybridConnectionManager
        ServiceFileName|contains: HybridConnectionManager
    condition: selection

False Positives

Legitimate use of Hybrid Connection Manager via Azure function apps.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Techniques

T1554 · Compromise Host Software Binary

Rule Metadata

Rule ID

0ee4d8a5-4e67-4faf-acfa-62a78457d1f2

Status

test

Level

high

Type

Detection

Created

Mon Apr 12

Modified

Sun Oct 09

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml

Raw Tags

attack.persistenceattack.t1554

View on GitHub