valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b5766f8804
SigmaHQ/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml
frack113 78e0e570dd Split PR 1802 builtin net rules
2021-08-09 20:23:35 +02:00

24 lines
742 B
YAML
Raw Blame History

title: HybridConnectionManager Service Installation
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
description: Rule to detect the Hybrid Connection Manager service installation.
status: experimental
date: 2021/04/12
modified: 2021/08/09
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.persistence
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
ServiceName: HybridConnectionManager
ServiceFileName|contains: HybridConnectionManager
condition: selection
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high
Reference in New Issue View Git Blame Copy Permalink