Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Sigma rule (View on GitHub)
1title: Microsoft Sync Center Suspicious Network Connections
2id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
3status: test
4description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
5references:
6 - https://redcanary.com/blog/intelligence-insights-november-2021/
7author: elhoim
8date: 2022/04/28
9modified: 2024/03/12
10tags:
11 - attack.t1055
12 - attack.t1218
13 - attack.execution
14 - attack.defense_evasion
15logsource:
16 product: windows
17 category: network_connection
18detection:
19 selection:
20 Image|endswith: '\mobsync.exe'
21 filter_main_local_ranges:
22 DestinationIp|cidr:
23 - '127.0.0.0/8'
24 - '10.0.0.0/8'
25 - '172.16.0.0/12'
26 - '192.168.0.0/16'
27 - '169.254.0.0/16'
28 - '::1/128' # IPv6 loopback
29 - 'fe80::/10' # IPv6 link-local addresses
30 - 'fc00::/7' # IPv6 private addresses
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
-
Compromised NPM package distributes cryptominer, TR delivers SqurrielWaffle, and Gamarue rises up the threat ranks.
Read More
Related rules
- Created Files by Microsoft Sync Center
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address
- Network Connection Initiated Via Notepad.EXE
- Potential Compromised 3CXDesktopApp Execution
- Potential Compromised 3CXDesktopApp Update Activity