heroui logo

Microsoft Sync Center Suspicious Network Connections

Sigma Rules

View Source
Summary
This detection rule identifies potentially suspicious network connections initiated by Microsoft Sync Center via the 'mobsync.exe' executable. The primary focus is on connections that attempt to reach external non-private, public IP addresses while filtering out connections that are aimed at known, local private IP ranges. This is significant because regular operation of Microsoft Sync Center typically involves access to private network resources, and any attempt to communicate with external networks could indicate an exploitation vector or malicious activity. By examining the outgoing connections generated by this process, security teams can gain insight into unauthorized data exfiltration or command-and-control communications, making this rule essential for monitoring abnormal behavior in a Windows environment.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Network Traffic
Created: 2022-04-28