anavem.
O
Medium RiskWindowsLegitimateCommonly Abused
OneDrive.exeCLOUD STORAGE

OneDrive.exe - Microsoft OneDrive Security Analysis

OneDrive.exe is the Microsoft OneDrive cloud sync client. Attackers abuse OneDrive for data exfiltration over trusted channels, malware distribution via shared files, and C2 communication using OneDrive API. Being built into Windows 10/11 makes it an attractive abuse target.

0viewsLast verified: Jan 18, 2026

Risk Summary

MEDIUM priority for SOC triage. OneDrive.exe is a legitimate cloud sync client frequently abused for exfiltration and C2. Monitor for sensitive file sync, API abuse by non-OneDrive processes, and unusual sync activity.

Overview

What is OneDrive.exe?

OneDrive is Microsoft's cloud file storage and sync service.

Core Functions

File Sync:

  • Cloud synchronization
  • Selective sync
  • Version history
  • Sharing capabilities

Security Significance

  • Built-in Windows: Pre-installed on Win 10/11
  • Trusted Channel: Microsoft domain traffic
  • API Access: Can be automated
  • Enterprise Presence: Common in corporate

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
Path%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe
Parentexplorer.exe (startup)
UserLogged-in user
Networkonedrive.live.com, sharepoint.com

Sync Folder

Default: %USERPROFILE%\OneDrive\
Business: %USERPROFILE%\OneDrive - CompanyName\

Common Locations

C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        %LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe
Network:     Microsoft domains
Behavior:    Normal file sync

SUSPICIOUS

Behavior:    Syncing unusual directories
             Large unexpected uploads
             API calls from non-OneDrive process
             Sync of credential files

Abuse Techniques

Attack Techniques

Technique #1: Data Exfiltration (T1567.002)

Exfil via Sync Folder:

  • Copy sensitive files to OneDrive folder
  • Automatic upload to cloud
  • Difficult to detect

Technique #2: C2 via OneDrive API (T1102.002)

Using Microsoft Graph API:

  • Upload/download commands
  • Traffic appears legitimate
  • Bypasses many controls

Technique #3: Malware Distribution

Sharing malware via OneDrive links.

Detection Guidance

Detection Strategies

Priority #1: Sensitive File Sync

FileSync TO OneDrive AND
FilePath CONTAINS ["passwords", "secrets", "credentials"]
→ ALERT: CRITICAL - Potential data theft

Priority #2: Non-OneDrive API Access

Process != "OneDrive.exe" AND
Network = "graph.microsoft.com" AND
Action = "file upload"
→ ALERT: HIGH - API abuse

Priority #3: Volume Anomaly

Unusual upload volumes.

Remediation Steps

Protection and Remediation

Defense: DLP Integration

Integrate OneDrive with DLP policies.

Defense: Conditional Access

Restrict OneDrive sync to managed devices.

If Compromise Suspected

  1. Review sync activity logs
  2. Check shared files/folders
  3. Audit API applications
  4. Review access logs in admin center

Investigation Checklist

Investigation Checklist

  • Review recent sync activity
  • Check for sensitive file uploads
  • Audit shared links
  • Review connected applications
  • Check admin center logs

MITRE ATT&CK Techniques

- -