From a509625acc431cafe3b63a1457c59d8305afaf82 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 22 Oct 2021 16:41:56 +0200 Subject: [PATCH] Update OneDriveStandaloneUpdater.yml --- yml/OSBinaries/OneDriveStandaloneUpdater.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index 4d64049..11133c0 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -13,7 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/techniques/T1105/ OperatingSystem: Windows 10 Full_Path: - - Path: %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe + - Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' Detection: - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files