← Back to Explore
sigmamediumHunting
OneNote Attachment File Dropped In Suspicious Location
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
Detection Query
selection:
TargetFilename|contains:
- \AppData\Local\Temp\
- \Users\Public\
- \Windows\Temp\
- :\Temp\
TargetFilename|endswith:
- .one
- .onepkg
filter_main_onenote:
Image|contains: :\Program Files\Microsoft Office\
Image|endswith: \ONENOTE.EXE
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-01-22
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.defense-evasion
Raw Content
title: OneNote Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
status: test
description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-09-19
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
# Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- ':\Temp\'
TargetFilename|endswith:
- '.one'
- '.onepkg'
filter_main_onenote:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\ONENOTE.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of ".one" or ".onepkg" files from those locations
level: medium