LoFP LoFP / false positives may include other third-party cloud-based file storage software. filter as necessary for your environment.

Techniques

Sample rules

Windows Cloud Files Filter Loaded by Uncommon Process

Description

The following analytic detects cldapi.dll being loaded by a process not associated with legitimate cloud sync activity. The Windows Cloud Files API (cldapi.dll) is abused by several local privilege escalation exploits.

Detection logic

`sysmon`
EventID=7
ImageLoaded="*\\cldapi.dll"
NOT Image IN (
  "*\\box.exe",
  "*\\dropbox.exe",
  "*\\googledrivefs.exe",
  "*\\icloud.exe",
  "*\\onedrive*.exe",
  "*\\Windows\\explorer.exe"
  "*\\Windows\\System32\\*",
  "*\\Windows\\Syswow64\\*",
  "*\\Windows\\WinSxS\\*"
)

| stats count min(_time) as firstTime
                max(_time) as lastTime
    by Computer ImageLoaded EventID dest loaded_file loaded_file_path process_exec
       process_guid process_hash process_id process_name process_path
       service_dll_signature_exists service_dll_signature_verified signature_id user_id
       vendor_product

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_cloud_files_filter_loaded_by_uncommon_process_filter`