Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Microsoft Sync Center Suspicious Network Connections

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
elhoimCreated Thu Apr 28Updated Tue Mar 129f2cc74d-78af-4eb2-bb64-9cd1d292b87bwindows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\mobsync.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
redcanary.com
MITRE ATT&CK
Rule Metadata
Rule ID
9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
Status
test
Level
medium
Type
Detection
Created
Thu Apr 28
Modified
Tue Mar 12
Author
elhoim
Path
rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml
Raw Tags
attack.privilege-escalationattack.t1055attack.t1218attack.executionattack.defense-evasion
View on GitHub