mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Merge pull request #153 from elliotkillick/OneDriveStandaloneUpdater
Create OneDriveStandaloneUpdater.yml
This commit is contained in:
commit
70a061d301
23
yml/OSBinaries/OneDriveStandaloneUpdater.yml
Normal file
23
yml/OSBinaries/OneDriveStandaloneUpdater.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
Name: OneDriveStandaloneUpdater.exe
|
||||||
|
Description: OneDrive Standalone Updater
|
||||||
|
Author: 'Elliot Killick'
|
||||||
|
Created: '2021-08-22'
|
||||||
|
Commands:
|
||||||
|
- Command: OneDriveStandaloneUpdater
|
||||||
|
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
|
||||||
|
Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
|
||||||
|
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Elliot Killick
|
||||||
|
Handle: '@elliotkillick'
|
||||||
|
---
|
Loading…
Reference in New Issue
Block a user