OneDrive Execution From Suspicious Location

Rule Info

Name
OneDrive Execution From Suspicious Location
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects OneDrive.exe being executed from a non-standard location, which may indicate a masqueraded malicious binary. Adversaries often rename their malicious executables to 'OneDrive.exe' to blend in with legitimate system activity and evade detection.
Reference
https://learn.microsoft.com/en-us/onedrive/per-machine-installation
Date
2026-03-16 00:00:00
Modified
None
Id
4beaec16-43d8-41d0-8919-c46c8c771350
Tags
attack.defense-evasion attack.t1036.005
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022