Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Sigma rule (View on GitHub)
1title: Suspicious Microsoft OneNote Child Process
2id: c27515df-97a9-4162-8a60-dc0eeb51b775
3related:
4 - id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes
5 type: derived
6status: test
7description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
8references:
9 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
10 - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
11author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
12date: 2022-10-21
13modified: 2023-02-10
14tags:
15 - attack.t1566
16 - attack.t1566.001
17 - attack.initial-access
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_parent:
23 ParentImage|endswith: '\onenote.exe'
24 selection_opt_img:
25 - OriginalFileName:
26 - 'bitsadmin.exe'
27 - 'CertOC.exe'
28 - 'CertUtil.exe'
29 - 'Cmd.Exe'
30 - 'CMSTP.EXE'
31 - 'cscript.exe'
32 - 'curl.exe'
33 - 'HH.exe'
34 - 'IEExec.exe'
35 - 'InstallUtil.exe'
36 - 'javaw.exe'
37 - 'Microsoft.Workflow.Compiler.exe'
38 - 'msdt.exe'
39 - 'MSHTA.EXE'
40 - 'msiexec.exe'
41 - 'Msxsl.exe'
42 - 'odbcconf.exe'
43 - 'pcalua.exe'
44 - 'PowerShell.EXE'
45 - 'RegAsm.exe'
46 - 'RegSvcs.exe'
47 - 'REGSVR32.exe'
48 - 'RUNDLL32.exe'
49 - 'schtasks.exe'
50 - 'ScriptRunner.exe'
51 - 'wmic.exe'
52 - 'WorkFolders.exe'
53 - 'wscript.exe'
54 - Image|endswith:
55 - '\AppVLP.exe'
56 - '\bash.exe'
57 - '\bitsadmin.exe'
58 - '\certoc.exe'
59 - '\certutil.exe'
60 - '\cmd.exe'
61 - '\cmstp.exe'
62 - '\control.exe'
63 - '\cscript.exe'
64 - '\curl.exe'
65 - '\forfiles.exe'
66 - '\hh.exe'
67 - '\ieexec.exe'
68 - '\installutil.exe'
69 - '\javaw.exe'
70 - '\mftrace.exe'
71 - '\Microsoft.Workflow.Compiler.exe'
72 - '\msbuild.exe'
73 - '\msdt.exe'
74 - '\mshta.exe'
75 - '\msidb.exe'
76 - '\msiexec.exe'
77 - '\msxsl.exe'
78 - '\odbcconf.exe'
79 - '\pcalua.exe'
80 - '\powershell.exe'
81 - '\pwsh.exe'
82 - '\regasm.exe'
83 - '\regsvcs.exe'
84 - '\regsvr32.exe'
85 - '\rundll32.exe'
86 - '\schtasks.exe'
87 - '\scrcons.exe'
88 - '\scriptrunner.exe'
89 - '\sh.exe'
90 - '\svchost.exe'
91 - '\verclsid.exe'
92 - '\wmic.exe'
93 - '\workfolders.exe'
94 - '\wscript.exe'
95 selection_opt_explorer:
96 Image|endswith: '\explorer.exe'
97 CommandLine|contains:
98 - '.hta'
99 - '.vb'
100 - '.wsh'
101 - '.js'
102 - '.ps'
103 - '.scr'
104 - '.pif'
105 - '.bat'
106 - '.cmd'
107 selection_opt_paths:
108 Image|contains:
109 - '\AppData\'
110 - '\Users\Public\'
111 - '\ProgramData\'
112 - '\Windows\Tasks\'
113 - '\Windows\Temp\'
114 - '\Windows\System32\Tasks\'
115 filter_teams:
116 Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
117 CommandLine|endswith: '-Embedding'
118 filter_onedrive:
119 Image|contains: '\AppData\Local\Microsoft\OneDrive\'
120 Image|endswith: '\FileCoAuth.exe'
121 CommandLine|endswith: '-Embedding'
122 condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*
123falsepositives:
124 - File located in the AppData folder with trusted signature
125level: high
References
-
Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.
Read More -
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Potential Initial Access via DLL Search Order Hijacking
- Suspicious HH.EXE Execution
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Disk Image Mounting Via Hdiutil - MacOS