PUA - FreeFileSync Execution

Rule Info

Name
PUA - FreeFileSync Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of FreeFileSync, which is a legitimate tool but can be abused for data exfiltration. FreeFileSync is a folder comparison and synchronization software that can be used to transfer files between systems. If you don't usually use FreeFileSync on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
Reference
https://www.synacktiv.com/en/publications/legitimate-exfiltration-tools-summary-and-detection-for-incident-response-and-threat#freefilesync
Date
2025-04-08 00:00:00
Modified
None
Id
94c41872-7a8c-4f07-b1e4-3f78f61b70d5
Tags
attack.exfiltration attack.t1567
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022