Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
Sigma rule (View on GitHub)
1title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
2id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
3status: experimental
4description: |
5 Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
6 anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
9author: frack113
10date: 2022/05/28
11modified: 2023/08/17
12tags:
13 - attack.command_and_control
14 - attack.t1105
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
Related rules
- Greenbug Espionage Group Indicators
- Download from Suspicious Dyndns Hosts
- BITSAdmin Downloading Malicious Binaries (RedCanary Threat Detection Report)
- Certutil Downloading Malicious Binaries (RedCanary Threat Detection Report)
- Possible Raspberry Robin DLL Download Using msiexec (RedCanary Threat Detection Report)