LoFP / legitimate use of hybrid connection manager via azure function apps.

Techniques

• t1554

Sample rules

HybridConnectionManager Service Running

• source: sigma
• technicques:
  • t1554

Description

Rule to detect the Hybrid Connection Manager service running on an endpoint.

Detection logic

condition: selection and keywords
keywords:
- HybridConnection
- sb://
- servicebus.windows.net
- HybridConnectionManage
selection:
  EventID:
  - 40300
  - 40301
  - 40302

HybridConnectionManager Service Installation

• source: sigma
• technicques:
  • t1554

Description

Rule to detect the Hybrid Connection Manager service installation.

Detection logic

condition: selection
selection:
  EventID: 4697
  ServiceFileName|contains: HybridConnectionManager
  ServiceName: HybridConnectionManager