← Library
sigmaDRL-1.1from SigmaHQ/sigma

OneNote.EXE Execution of Malicious Embedded Scripts

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

Quality
86
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218.001
Rule sourcerules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml
title: OneNote.EXE Execution of Malicious Embedded Scripts
id: 84b1706c-932a-44c4-ae28-892b28a25b94
status: test
description: |
    Detects the execution of malicious OneNote documents that contain embedded scripts.
    When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
references:
    - https://bazaar.abuse.ch/browse/tag/one/
author: '@kostastsale'
date: 2023-02-02
tags:
    - attack.defense-evasion
    - attack.t1218.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\onenote.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - '\exported\'
            - '\onenoteofflinecache_files\'
    condition: selection
falsepositives:
    - Unlikely
level: high