--- title: Windows HybridConnectionManager service running description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Windows HybridConnectionManager service running --- # Windows HybridConnectionManager service running {% alert level="danger" %} This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/). {% /alert %} Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1554-compromise-host-software-binary](https://attack.mitre.org/techniques/T1554) ## Goal{% #goal %} Detects the presence of Azure Hybrid Connection Manager service running on a Windows system, which could indicate an attacker establishing covert remote connectivity. ## Strategy{% #strategy %} This rule monitors Windows event logs for events with ID `40300`, `40301`, or `40302` containing specific strings related to Hybrid Connection Manager functionality. The Azure Hybrid Connection Manager creates a secure relay between an on-premises server and the Azure cloud, allowing for bidirectional communication without requiring changes to corporate firewall rules. While this is a legitimate service, it can be abused by attackers who have compromised a system to establish persistent remote access that bypasses traditional network controls. This activity should be concerning when observed on systems that do not have a documented business purpose for Azure Hybrid connectivity. ## Triage & Response{% #triage--response %} - Validate whether the Hybrid Connection Manager service is authorized on the `{{host}}` system. - Examine the service configuration to determine which Azure resources it's connecting to and verify if these connections are expected. - Review authentication logs to identify who installed or configured the service. - Verify the installation date and time to correlate with known change management windows. - Analyze network traffic generated by the service to identify potential data exfiltration or command and control activity. - Review Microsoft 365 and Azure logs for suspicious activity that might be related to this connection.