| sigma |
microsoft365_suspicious_oauth_app_file_download_activities.yml |
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. |
DRL 1.0 |
| sigma |
proxy_cobalt_onedrive.yml |
title: CobaltStrike Malleable OneDrive Browsing Traffic Profile |
DRL 1.0 |
| sigma |
proxy_cobalt_onedrive.yml |
description: Detects Malleable OneDrive Profile |
DRL 1.0 |
| sigma |
proxy_cobalt_onedrive.yml |
cs-host: 'onedrive.live.com' |
DRL 1.0 |
| sigma |
proxy_cobalt_onedrive.yml |
c-uri\|contains: '://onedrive.live.com/' |
DRL 1.0 |
| sigma |
sysmon_mimikatz_detection_lsass.yml |
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow |
DRL 1.0 |
| sigma |
image_load_abusing_azure_browser_sso.yml |
- '\AppData\Local\Microsoft\OneDrive\OneDrive.exe' |
DRL 1.0 |
| sigma |
image_load_abusing_azure_browser_sso.yml |
- '\OneDrive.exe' |
DRL 1.0 |
| sigma |
image_load_susp_advapi32_dll.yml |
Image\|contains: '\AppData\Local\Microsoft\OneDrive\' |
DRL 1.0 |
| sigma |
image_load_uipromptforcreds_dlls.yml |
- 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe' |
DRL 1.0 |
| sigma |
image_load_uipromptforcreds_dlls.yml |
- 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe' |
DRL 1.0 |
| sigma |
proc_access_win_cred_dump_lsass_access.yml |
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow |
DRL 1.0 |
| sigma |
proc_access_win_susp_proc_access_lsass.yml |
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow |
DRL 1.0 |
| sigma |
proc_access_win_susp_proc_access_lsass_susp_source.yml |
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow |
DRL 1.0 |
| sigma |
proc_creation_win_local_system_owner_account_discovery.yml |
- ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion.yml |
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion.yml |
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion.yml |
Details\|contains: '\AppData\Local\Microsoft\OneDrive\' |
DRL 1.0 |
| sigma |
registry_event_persistence_search_order.yml |
- '\AppData\Local\Microsoft\OneDrive\' |
DRL 1.0 |
| sigma |
registry_event_persistence_search_order.yml |
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level |
DRL 1.0 |
| sigma |
registry_event_taskcache_entry.yml |
- '\TaskCache\Tree\OneDrive Reporting' |
DRL 1.0 |
| sigma |
registry_event_taskcache_entry.yml |
- '\TaskCache\Tree\OneDrive Standalone Update Task' |
DRL 1.0 |
| sigma |
hawk.yml |
onedrive: |
DRL 1.0 |
| sigma |
hawk.yml |
service: onedrive |
DRL 1.0 |
| sigma |
hawk.yml |
product_name: "Onedrive" |
DRL 1.0 |
| LOLBAS |
OneDriveStandaloneUpdater.yml |
Description: OneDrive Standalone Updater |
|
| LOLBAS |
OneDriveStandaloneUpdater.yml |
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json |
|
| LOLBAS |
OneDriveStandaloneUpdater.yml |
- Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' |
|
| LOLBAS |
OneDriveStandaloneUpdater.yml |
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL |
|
| LOLBAS |
OneDriveStandaloneUpdater.yml |
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files |
|
| malware-ioc |
casbaneiro |
- %APPDATA%\OneDrive\OneDrive.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
casbaneiro |
** OneDrive = %APPDATA%\OneDrive\OneDrive.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
interception |
C:\Users\<USER>\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
© ESET 2014-2018 |
| malware-ioc |
interception |
C:\Users\<USER>\AppData\Local\Microsoft\oneDrive\oneDriveSync.exe |
© ESET 2014-2018 |
| malware-ioc |
2020_Q2 |
C:\OneDrive\OneDriveSync.exe |
© ESET 2014-2018 |
| malware-ioc |
2020_Q4 |
C:\ProgramData\OneDrive\OneDriveService.exe |
© ESET 2014-2018 |
| malware-ioc |
misp-turla-crutch-event.json |
"value": "%LOCALAPPDATA%\\Microsoft\\OneDrive\\dwmapi.dll", |
© ESET 2014-2018 |
| malware-ioc |
turla |
* ++%LOCALAPPDATA%\Microsoft\OneDrive\dwmapi.dll++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| signature-base |
apt_apt37_bluelight.yar |
description = “The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications.” |
CC BY-NC 4.0 |