OneNote Attachment File Dropped In Suspicious Location

Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

Sigma rule (View on GitHub)

 1title: OneNote Attachment File Dropped In Suspicious Location
 2id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
 3status: test
 4description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
 5references:
 6    - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
 7    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-01-22
10modified: 2023-09-19
11tags:
12    - attack.defense-evasion
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|contains:
19            # Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
20            - '\AppData\Local\Temp\'
21            - '\Users\Public\'
22            - '\Windows\Temp\'
23            - ':\Temp\'
24        TargetFilename|endswith:
25            - '.one'
26            - '.onepkg'
27    filter_main_onenote:
28        Image|contains: ':\Program Files\Microsoft Office\'
29        Image|endswith: '\ONENOTE.EXE'
30    condition: selection and not 1 of filter_main_*
31falsepositives:
32    - Legitimate usage of ".one" or ".onepkg" files from those locations
33level: medium

References

Related rules

to-top