Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Sigma rule (View on GitHub)
1title: Created Files by Microsoft Sync Center
2id: 409f8a98-4496-4aaa-818a-c931c0a8b832
3status: test
4description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
5references:
6 - https://redcanary.com/blog/intelligence-insights-november-2021/
7author: elhoim
8date: 2022/04/28
9modified: 2022/06/02
10tags:
11 - attack.t1055
12 - attack.t1218
13 - attack.execution
14 - attack.defense_evasion
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection_mobsync:
20 Image|endswith: '\mobsync.exe'
21 filter_created_file:
22 TargetFilename|endswith:
23 - '.dll'
24 - '.exe'
25 condition: selection_mobsync and filter_created_file
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Potential Binary Impersonating Sysinternals Tools
- Use Of The SFTP.EXE Binary As A LOLBIN
- Use of Scriptrunner.exe