Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Sigma rule (View on GitHub)
1title: Created Files by Microsoft Sync Center
2id: 409f8a98-4496-4aaa-818a-c931c0a8b832
3status: test
4description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
5references:
6 - https://redcanary.com/blog/intelligence-insights-november-2021/
7author: elhoim
8date: 2022-04-28
9modified: 2022-06-02
10tags:
11 - attack.privilege-escalation
12 - attack.t1055
13 - attack.t1218
14 - attack.execution
15 - attack.defense-evasion
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection_mobsync:
21 Image|endswith: '\mobsync.exe'
22 filter_created_file:
23 TargetFilename|endswith:
24 - '.dll'
25 - '.exe'
26 condition: selection_mobsync and filter_created_file
27falsepositives:
28 - Unknown
29level: medium
References
-
Compromised NPM package distributes cryptominer, TR delivers SqurrielWaffle, and Gamarue rises up the threat ranks.
Read More
Related rules
- Microsoft Sync Center Suspicious Network Connections
- DotNet CLR DLL Loaded By Scripting Applications
- Network Connection Initiated Via Notepad.EXE
- Potential DLL Sideloading Using Coregen.exe
- Scheduled Task Creation with Curl and PowerShell Execution Combo