Detectionmediumtest

Created Files by Microsoft Sync Center

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

elhoimCreated Thu Apr 28Updated Thu Jun 02409f8a98-4496-4aaa-818a-c931c0a8b832windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection_mobsync:
        Image|endswith: '\mobsync.exe'
    filter_created_file:
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection_mobsync and filter_created_file

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

redcanary.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0005 · Defense Evasion

Techniques

T1055 · Process Injection T1218 · System Binary Proxy Execution

Rule Metadata

Rule ID

409f8a98-4496-4aaa-818a-c931c0a8b832

Status

test

Level

medium

Type

Detection

Created

Thu Apr 28

Modified

Thu Jun 02

Author

elhoim

Path

rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml

Raw Tags

attack.privilege-escalationattack.t1055attack.t1218attack.executionattack.defense-evasion

View on GitHub