Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
Sigma rule (View on GitHub)
1title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
2id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
3status: test
4description: |
5 Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
6 anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
9author: frack113
10date: 2022-05-28
11modified: 2023-08-17
12tags:
13 - attack.command-and-control
14 - attack.t1105
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
OneDriveStandaloneUpdater.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings