Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Sigma rule (View on GitHub)
1title: Microsoft Sync Center Suspicious Network Connections
2id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
3status: test
4description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
5references:
6 - https://redcanary.com/blog/intelligence-insights-november-2021/
7author: elhoim
8date: 2022-04-28
9modified: 2024-03-12
10tags:
11 - attack.privilege-escalation
12 - attack.t1055
13 - attack.t1218
14 - attack.execution
15 - attack.defense-evasion
16logsource:
17 product: windows
18 category: network_connection
19detection:
20 selection:
21 Image|endswith: '\mobsync.exe'
22 filter_main_local_ranges:
23 DestinationIp|cidr:
24 - '127.0.0.0/8'
25 - '10.0.0.0/8'
26 - '172.16.0.0/12'
27 - '192.168.0.0/16'
28 - '169.254.0.0/16'
29 - '::1/128' # IPv6 loopback
30 - 'fe80::/10' # IPv6 link-local addresses
31 - 'fc00::/7' # IPv6 private addresses
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Unknown
35level: medium
References
-
Compromised NPM package distributes cryptominer, TR delivers SqurrielWaffle, and Gamarue rises up the threat ranks.
Read More
Related rules
- Created Files by Microsoft Sync Center
- DotNet CLR DLL Loaded By Scripting Applications
- Network Connection Initiated Via Notepad.EXE
- Potential DLL Sideloading Using Coregen.exe
- Scheduled Task Creation with Curl and PowerShell Execution Combo