title: HybridConnectionManager Service Installation
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
description: Rule to detect the Hybrid Connection Manager service installation.
status: experimental
date: 2021/04/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
    - attack.persistence
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4697
        ServiceName: HybridConnectionManager
        ServiceFileName|contains: HybridConnectionManager 
    condition: selection
falsepositives:
    - Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high