ONENOTE drops suspicious file

 1title: ONENOTE drops suspicious file
 2status: experimental
 3description: ONENOTE drops suspicious file
 4author: Joe Security
 5date: 2023-01-11
 6id: 200109
 7threatname:
 8behaviorgroup: 1
 9classification: 7
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        Image:
17            - '*\microsoft office\root\office*\onenote.exe'
18            - '*\microsoft office\office*\onenote.exe'
19        TargetFilename:
20            - '*\exported*\\*.hta'
21            - '*\exported*\\*.lnk'
22            - '*\exported*\\*.vbs'
23            - '*\exported*\\*.js'
24            - '*\exported*\\*.bat'
25            - '*\onenoteofflinecache_files\\*.hta'            
26            - '*\onenoteofflinecache_files\\*.vbs'
27            - '*\onenoteofflinecache_files\\*.js'
28            - '*\onenoteofflinecache_files\\*.bat'
29            
30    condition: selection
31level: critical