Adversaries may drop a malicious DLL file in OneDrive or Teams folders to execute arbitrary code under the guise of legitimate applications. SOC teams should proactively hunt for this behavior as it indicates potential lateral movement or persistence, leveraging trusted application execution contexts.
Detection Rule
title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- 'iphlpapi.dll'
- '\AppData\Local\Microsoft'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName contains "iphlpapi.dll" and TargetFileName contains "\\AppData\\Local\\Microsoft"Scenario: Scheduled System Update or Patching Job
Description: A legitimate scheduled task runs a system update or patching process that temporarily drops a DLL file in the OneDrive or Teams folder as part of the update process.
Filter/Exclusion: Exclude files created by processes associated with Windows Update (svchost.exe, wuauclt.exe) or specific update tools like WindowsUpdate.exe.
Scenario: Admin Task for File Sync or Backup
Description: An administrator uses a tool like Robocopy or rsync to synchronize files between servers and user machines, temporarily placing a DLL in the OneDrive or Teams folder during the sync process.
Filter/Exclusion: Exclude files created by processes associated with Robocopy.exe or rsync (if applicable), or filter based on the source IP or user account.
Scenario: Legitimate Third-Party Application Integration
Description: A legitimate third-party application (e.g., Microsoft Intune, Microsoft Endpoint Manager, or Power Automate) deploys a DLL in the Teams or OneDrive folder as part of its integration or configuration process.
Filter/Exclusion: Exclude files created by processes associated with Microsoft Intune, Microsoft Endpoint Manager, or other known enterprise management tools.
Scenario: User-Initiated File Move or Copy
Description: A user manually moves or copies a legitimate DLL file from another location into the Teams or OneDrive folder, which triggers the rule.
Filter/Exclusion: Exclude files created by user-initiated actions using explorer.exe or copy.exe, or filter based on the user context (e.g., non-admin users).
Scenario: Antivirus or EDR Quarantine Process
Description: An antivirus or EDR tool quarantines a file and places it