Adversaries may leverage Microsoft Sync Center to create stealthy files and exfiltrate data, exploiting its legitimate functionality for persistence and data theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise through anomalous file creation by Sync Center.
Detection Rule
title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.t1055
- attack.t1218
- attack.execution
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection_mobsync:
Image|endswith: '\mobsync.exe'
filter_created_file:
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection_mobsync and filter_created_file
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFilePath endswith "\\mobsync.exe" and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe")Scenario: User syncs files via Microsoft OneDrive Sync Client
Filter/Exclusion: Check the file path and process name. Exclude files created by OneDrive.exe or FileSync.exe (Microsoft OneDrive Sync Client).
Scenario: System administrator performs a file sync using Microsoft Sync Center for backup purposes
Filter/Exclusion: Exclude files created by mobsync.exe or SyncCenter.exe when the user is a domain admin and the file path is within a known backup directory (e.g., C:\Backup\).
Scenario: Scheduled job runs Microsoft Sync Center to synchronize data between servers
Filter/Exclusion: Exclude files created by mobsync.exe when the process is initiated by a scheduled task with a known name (e.g., SyncJob_ScheduledTask) and the file path is within a server sync directory.
Scenario: User manually syncs files using Microsoft Sync Center for offline access
Filter/Exclusion: Exclude files created by SyncCenter.exe when the user is accessing a local folder that is part of a known sync profile (e.g., C:\Users\Username\Documents\SyncFolder).
Scenario: Microsoft Sync Center is used to sync files between a laptop and a corporate network drive
Filter/Exclusion: Exclude files created by mobsync.exe when the file path is within a mapped network drive (e.g., Z:\Sync\) and the user is authenticated with a corporate account.