Detectionhightest
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
Status
test
Level
high
Type
Detection
Created
Sat May 28
Modified
Thu Aug 17
Author
Path
rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml
Raw Tags
attack.command-and-controlattack.t1105