Techniques
Sample rules
Windows Cloud Files Filter Loaded by Uncommon Process
- source: splunk
- technicques:
Description
The following analytic detects cldapi.dll being loaded by a process not associated with legitimate cloud sync activity. The Windows Cloud Files API (cldapi.dll) is abused by several local privilege escalation exploits.
Detection logic
`sysmon`
EventID=7
ImageLoaded="*\\cldapi.dll"
NOT Image IN (
"*\\box.exe",
"*\\dropbox.exe",
"*\\googledrivefs.exe",
"*\\icloud.exe",
"*\\onedrive*.exe",
"*\\Windows\\explorer.exe"
"*\\Windows\\System32\\*",
"*\\Windows\\Syswow64\\*",
"*\\Windows\\WinSxS\\*"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer ImageLoaded EventID dest loaded_file loaded_file_path process_exec
process_guid process_hash process_id process_name process_path
service_dll_signature_exists service_dll_signature_verified signature_id user_id
vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_cloud_files_filter_loaded_by_uncommon_process_filter`