HybridConnectionMgr Service Activity

rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml

@@ -0,0 +1,23 @@
+title: HybridConnectionManager Service Installation
+id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+description: Rule to detect the Hybrid Connection Manager service installation.
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+    - attack.persistence
+references:
+    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 4697
+        ServiceName: HybridConnectionManager
+        ServiceFileName|contains: HybridConnectionManager 
+    condition: selection
+falsepositives:
+    - Legitimate use of Hybrid Connection Manager via Azure function apps.
+level: high

rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml

@@ -0,0 +1,28 @@
+title: HybridConnectionManager Service Running
+id: b55d23e5-6821-44ff-8a6e-67218891e49f
+description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+    - attack.persistence
+references:
+    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+    product: windows
+    service: Microsoft-ServiceBus-Client
+detection:
+    selection:
+        EventID:
+            - 40300
+            - 40301
+            - 40302
+        Message|contains:
+            - 'HybridConnection'
+            - 'sb://'
+            - 'servicebus.windows.net'
+            - 'HybridConnectionManage'
+    condition: selection
+falsepositives:
+    - Legitimate use of Hybrid Connection Manager via Azure function apps.
+level: high

rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml

@@ -0,0 +1,22 @@
+title: HybridConnectionManager Service Installation
+id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
+description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+    - attack.persistence
+references:
+    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection1:
+        TargetObject|contains: '\Services\HybridConnectionManager'
+    selection2:
+        Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
+    condition: selection1 or selection2
+falsepositives:
+    - Unknown
+level: high

rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml

@@ -0,0 +1,22 @@
+title: DNS HybridConnectionManager Service Bus
+id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+    - attack.persistence
+references:
+    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 22
+        QueryName|contains: servicebus.windows.net
+        Image|contains: HybridConnectionManager
+    condition: selection
+falsepositives:
+    - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
+level: high