Onenote execution of malicious embedded scripts

Aug 10, 2024 · attack.defense_evasion attack.T1218.001 ·

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a onenote attachment and then on the malicious link inside the .one file, it exports and executes the malicious embedded script from specific directories.

Sigma rule (View on GitHub)

 1title: Onenote execution of malicious embedded scripts
 2id: 84b1706c-932a-44c4-ae28-892b28a25b94
 3description: Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a onenote attachment and then on the malicious link inside the .one file, it exports and executes the malicious embedded script from specific directories.
 4status: experimental
 5date: 2023/02/02
 6author: '@kostastsale'
 7references:
 8  - https://bazaar.abuse.ch/browse/tag/one/
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14      Image|endswith:
15        - '*\powershell.exe'
16        - '*\pwsh.exe'
17        - '*\wscript.exe'
18        - '*\cscript.exe'
19        - '*\cmd.exe'
20        - '*\mshta.exe'
21      ParentImage|endswith:
22        - '*\onenote.exe'
23    selection2:
24      CommandLine|contains:
25        - '\exported\'
26        - '\onenoteofflinecache_files\'
27    condition: selection1 and selection2
28falsepositives:
29    - Unlikely
30level: high
31tags:
32    - attack.defense_evasion
33    - attack.T1218.001

References

MalwareBazaar | Browse Checking your browser

Please confirm that you are not a robot by clicking on the checkbox below

Read More

Onenote execution of malicious embedded scripts

Sigma rule (View on GitHub)

References

MalwareBazaar | Browse Checking your browser

Related rules