anavem.
Medium RiskWindowsLegitimateCommonly Abused
OneDrive.exeCLOUD STORAGE

OneDrive.exe - Microsoft OneDrive Security Analysis

OneDrive.exe is the **Microsoft OneDrive cloud sync client**. Attackers abuse OneDrive for **data exfiltration** over trusted channels, **malware distribution** via shared files, and **C2 communication** using OneDrive API. Being built into Windows 10/11 makes it an attractive abuse target.

Risk Summary

MEDIUM priority for SOC triage. OneDrive.exe is a legitimate cloud sync client frequently abused for exfiltration and C2. Monitor for sensitive file sync, API abuse by non-OneDrive processes, and unusual sync activity.

Overview

What is OneDrive.exe?

OneDrive is Microsoft's cloud file storage and sync service.

Core Functions

File Sync:

  • Cloud synchronization
  • Selective sync
  • Version history
  • Sharing capabilities

Security Significance

  • Built-in Windows: Pre-installed on Win 10/11
  • Trusted Channel: Microsoft domain traffic
  • API Access: Can be automated
  • Enterprise Presence: Common in corporate

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
Path%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe
Parentexplorer.exe (startup)
UserLogged-in user
Networkonedrive.live.com, sharepoint.com

Sync Folder

Default: %USERPROFILE%\OneDrive\
Business: %USERPROFILE%\OneDrive - CompanyName\

Common Locations

C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        %LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe
Network:     Microsoft domains
Behavior:    Normal file sync

SUSPICIOUS

Behavior:    Syncing unusual directories
             Large unexpected uploads
             API calls from non-OneDrive process
             Sync of credential files

Abuse Techniques

Attack Techniques

Technique #1: Data Exfiltration (T1567.002)

Exfil via Sync Folder:

  • Copy sensitive files to OneDrive folder
  • Automatic upload to cloud
  • Difficult to detect

Technique #2: C2 via OneDrive API (T1102.002)

Using Microsoft Graph API:

  • Upload/download commands
  • Traffic appears legitimate
  • Bypasses many controls

Technique #3: Malware Distribution

Sharing malware via OneDrive links.

Detection Guidance

Detection Strategies

Priority #1: Sensitive File Sync

FileSync TO OneDrive AND
FilePath CONTAINS ["passwords", "secrets", "credentials"]
→ ALERT: CRITICAL - Potential data theft

Priority #2: Non-OneDrive API Access

Process != "OneDrive.exe" AND
Network = "graph.microsoft.com" AND
Action = "file upload"
→ ALERT: HIGH - API abuse

Priority #3: Volume Anomaly

Unusual upload volumes.

Remediation Steps

Protection and Remediation

Defense: DLP Integration

Integrate OneDrive with DLP policies.

Defense: Conditional Access

Restrict OneDrive sync to managed devices.

If Compromise Suspected

  1. Review sync activity logs
  2. Check shared files/folders
  3. Audit API applications
  4. Review access logs in admin center

Investigation Checklist

Investigation Checklist

  • Review recent sync activity
  • Check for sensitive file uploads
  • Audit shared links
  • Review connected applications
  • Check admin center logs

MITRE ATT&CK Techniques

T1567.002T1102.002

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026