OneNote Attachment File Dropped In Suspicious Location
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
Sigma rule (View on GitHub)
1title: OneNote Attachment File Dropped In Suspicious Location
2id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
3status: test
4description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
5references:
6 - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
7 - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-01-22
10modified: 2023-09-19
11tags:
12 - attack.defense-evasion
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|contains:
19 # Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
20 - '\AppData\Local\Temp\'
21 - '\Users\Public\'
22 - '\Windows\Temp\'
23 - ':\Temp\'
24 TargetFilename|endswith:
25 - '.one'
26 - '.onepkg'
27 filter_main_onenote:
28 Image|contains: ':\Program Files\Microsoft Office\'
29 Image|endswith: '\ONENOTE.EXE'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Legitimate usage of ".one" or ".onepkg" files from those locations
33level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity