Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1554-compromise-host-software-binary

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects the presence of Azure Hybrid Connection Manager service running on a Windows system, which could indicate an attacker establishing covert remote connectivity.

Strategy

This rule monitors Windows event logs for events with ID 40300, 40301, or 40302 containing specific strings related to Hybrid Connection Manager functionality. The Azure Hybrid Connection Manager creates a secure relay between an on-premises server and the Azure cloud, allowing for bidirectional communication without requiring changes to corporate firewall rules. While this is a legitimate service, it can be abused by attackers who have compromised a system to establish persistent remote access that bypasses traditional network controls. This activity should be concerning when observed on systems that do not have a documented business purpose for Azure Hybrid connectivity.

Triage & Response

• Validate whether the Hybrid Connection Manager service is authorized on the {{host}} system.
• Examine the service configuration to determine which Azure resources it’s connecting to and verify if these connections are expected.
• Review authentication logs to identify who installed or configured the service.
• Verify the installation date and time to correlate with known change management windows.
• Analyze network traffic generated by the service to identify potential data exfiltration or command and control activity.
• Review Microsoft 365 and Azure logs for suspicious activity that might be related to this connection.