OneNote.EXE Execution of Malicious Embedded Scripts
Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
Sigma rule (View on GitHub)
1title: OneNote.EXE Execution of Malicious Embedded Scripts
2id: 84b1706c-932a-44c4-ae28-892b28a25b94
3status: test
4description: |
5 Detects the execution of malicious OneNote documents that contain embedded scripts.
6 When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
7references:
8 - https://bazaar.abuse.ch/browse/tag/one/
9author: '@kostastsale'
10date: 2023-02-02
11tags:
12 - attack.defense-evasion
13 - attack.t1218.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\onenote.exe'
20 Image|endswith:
21 - '\cmd.exe'
22 - '\cscript.exe'
23 - '\mshta.exe'
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - '\wscript.exe'
27 CommandLine|contains:
28 - '\exported\'
29 - '\onenoteofflinecache_files\'
30 condition: selection
31falsepositives:
32 - Unlikely
33level: high
References
Related rules
- HH.EXE Execution
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Diamond Sleet APT DLL Sideloading Indicators
- Diamond Sleet APT Scheduled Task Creation - Registry