KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Abuse Of Sync Thing Tool To Steal Data

Query

**Detecting abuse of SyncThing tool to steal data**

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    |
| ---  | --- |
| T1071.002 | Application Layer Protocol: File Transfer Protocols  |

| Author | Sergio Albea (06/11/2025)   |
| ---  | --- |

**Description:** Syncthing is a peer-to-peer file synchronization utility, designed to sync files between devices on a local network or between remote devices over the Internet.
This utility to exfiltrate data, has been already abused to exfiltrate data by Malicious actor.
The following KQL Query detect connections to external IPs via the mentioned software and the corresponding country.

```
DeviceNetworkEvents
| extend geo_info = tostring(geo_info_from_ip_address(RemoteIP).country)
| where InitiatingProcessCommandLine has "syncthing.exe --no-browser"
| summarize by DeviceName,LocalIP, RemoteIP,geo_info, InitiatingProcessVersionInfoProductName, InitiatingProcessCommandLine, ActionType
```

Explanation

This query is designed to detect potential misuse of the Syncthing tool, which can be used to illegally transfer data. Syncthing is a utility that synchronizes files between devices, and while it is legitimate software, it can be exploited by malicious actors to exfiltrate data.

Here's a breakdown of what the query does:

  1. Data Source: It examines network events from devices, specifically looking at connections made by processes on those devices.

  2. Geo-Location: It adds geographical information to the data by determining the country associated with the remote IP address involved in the connection.

  3. Process Identification: It filters the data to find instances where the Syncthing tool (syncthing.exe) is being used with the --no-browser option, which is a specific command-line argument that might indicate automated or scripted use.

  4. Data Summarization: The query then summarizes the data by listing the device name, local IP, remote IP, country of the remote IP, product name of the initiating process, the command line used to start the process, and the type of network action.

In simple terms, this query helps identify when and where the Syncthing tool is being used to connect to external IP addresses, potentially indicating unauthorized data transfers.

Details

Sergio Albea profile picture

Sergio Albea

Released: November 6, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPLocalIPDeviceNameActionTypeInitiatingProcessVersionInfoProductNameInitiatingProcessCommandLineGeoInfo

Operators

extendtostringgeo_info_from_ip_addresswherehassummarizeby

Actions