Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Sigma rule (View on GitHub)
1title: Created Files by Microsoft Sync Center
2id: 409f8a98-4496-4aaa-818a-c931c0a8b832
3status: test
4description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
5references:
6 - https://redcanary.com/blog/intelligence-insights-november-2021/
7author: elhoim
8date: 2022-04-28
9modified: 2022-06-02
10tags:
11 - attack.t1055
12 - attack.t1218
13 - attack.execution
14 - attack.defense-evasion
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection_mobsync:
20 Image|endswith: '\mobsync.exe'
21 filter_created_file:
22 TargetFilename|endswith:
23 - '.dll'
24 - '.exe'
25 condition: selection_mobsync and filter_created_file
26falsepositives:
27 - Unknown
28level: medium
References
-
Compromised NPM package distributes cryptominer, TR delivers SqurrielWaffle, and Gamarue rises up the threat ranks.
Read More
Related rules
- Microsoft Sync Center Suspicious Network Connections
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE