LOLBAS/yml/OSBinaries/OneDriveStandaloneUpdater.yml

25 lines
1.4 KiB
YAML
Raw Normal View History

2021-08-28 11:16:35 +02:00
---
Name: OneDriveStandaloneUpdater.exe
Description: OneDrive Standalone Updater
Author: 'Elliot Killick'
Created: '2021-08-22'
Commands:
- Command: OneDriveStandaloneUpdater
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
Full_Path:
2021-10-22 16:41:56 +02:00
- Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
2021-08-28 11:16:35 +02:00
Detection:
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
2021-10-22 16:43:28 +02:00
Resources:
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/153
2021-08-28 11:16:35 +02:00
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---