Onenote execution of malicious embedded scripts
Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a onenote attachment and then on the malicious link inside the .one file, it exports and executes the malicious embedded script from specific directories.
Sigma rule (View on GitHub)
1title: Onenote execution of malicious embedded scripts
2description: Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a onenote attachment and then on the malicious link inside the .one file, it exports and executes the malicious embedded script from specific directories.
3status: experimental
4date: 2023/02/02
5author: '@kostastsale'
6references:
7 - https://bazaar.abuse.ch/browse/tag/one/
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - '*\powershell.exe'
15 - '*\pwsh.exe'
16 - '*\wscript.exe'
17 - '*\cscript.exe'
18 - '*\cmd.exe'
19 - '*\mshta.exe'
20 ParentImage|endswith:
21 - '*\onenote.exe'
22 selection2:
23 CommandLine|contains:
24 - '\exported\'
25 - '\onenoteofflinecache_files\'
26 condition: selection1 and selection2
27falsepositives:
28 - Unlikely
29level: high
30tags:
31 - attack.defense_evasion
32 - attack.T1218.001
References
Related rules
- Code Execution via Pcwutl.dll
- Removal Of AMSI Provider Registry Keys
- Removal of Potential COM Hijacking Registry Keys
- Fax Service DLL Search Order Hijack
- Terminal Server Client Connection History Cleared - Registry