Cobalt Strike - OneDrive DLL injection

Advanced Persistent Threats (APTs) Ransomware threat actors are targeting more legitimate software's used in global companies like default backup solutions such as Microsoft OneDrive.

Therefore, when investigating the missing OneDrive DLL's with ProcMon, the file "cscapi.dll" is loaded from "C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive".

This allows threat actors to gain persistence when end-user opens OneDrive since the DLL will be loaded in the process.

https://youtu.be/bs_fMlw6DvE

cobalt cobalt strike cybersecurity dll injection onedrive strike