sigmahighHunting

OneNote.EXE Execution of Malicious Embedded Scripts

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

MITRE ATT&CK

T1218.001

defense-evasion

Detection Query

selection:
  ParentImage|endswith: \onenote.exe
  Image|endswith:
    - \cmd.exe
    - \cscript.exe
    - \mshta.exe
    - \powershell.exe
    - \pwsh.exe
    - \wscript.exe
  CommandLine|contains:
    - \exported\
    - \onenoteofflinecache_files\
condition: selection

Author

@kostastsale

Created

2023-02-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://bazaar.abuse.ch/browse/tag/one/

Tags

attack.defense-evasionattack.t1218.001

Raw Content

title: OneNote.EXE Execution of Malicious Embedded Scripts
id: 84b1706c-932a-44c4-ae28-892b28a25b94
status: test
description: |
    Detects the execution of malicious OneNote documents that contain embedded scripts.
    When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
references:
    - https://bazaar.abuse.ch/browse/tag/one/
author: '@kostastsale'
date: 2023-02-02
tags:
    - attack.defense-evasion
    - attack.t1218.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\onenote.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - '\exported\'
            - '\onenoteofflinecache_files\'
    condition: selection
falsepositives:
    - Unlikely
level: high