Adversaries may drop malicious OneNote attachment files in suspicious locations to evade detection and persist within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts.
Detection Rule
title: OneNote Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
status: test
description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-09-19
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
# Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- ':\Temp\'
TargetFilename|endswith:
- '.one'
- '.onepkg'
filter_main_onenote:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\ONENOTE.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of ".one" or ".onepkg" files from those locations
level: medium
imFileEvent
| where ((TargetFileName contains "\\AppData\\Local\\Temp\\" or TargetFileName contains "\\Users\\Public\\" or TargetFileName contains "\\Windows\\Temp\\" or TargetFileName contains ":\\Temp\\") and (TargetFileName endswith ".one" or TargetFileName endswith ".onepkg")) and (not((TargetFilePath contains ":\\Program Files\\Microsoft Office\\" and TargetFilePath endswith "\\ONENOTE.EXE")))Scenario: A system administrator is using OneNote to document a Windows Event Viewer export for audit purposes.
Filter/Exclusion: Exclude files created in the C:\Windows\System32\ directory or files with the .evtx extension.
Scenario: A scheduled backup job uses OneNote to log backup status reports in a shared network folder.
Filter/Exclusion: Exclude files created in network shares (e.g., \\server\backup\) or files with the .log extension.
Scenario: A developer is using OneNote to store Visual Studio project files in a local workspace directory.
Filter/Exclusion: Exclude files with extensions like .sln, .csproj, or .vbproj created in development directories (e.g., C:\Dev\ProjectName\).
Scenario: A Windows Update process temporarily creates a OneNote file in the Temp directory to store intermediate data.
Filter/Exclusion: Exclude files created in the C:\Windows\Temp\ directory or with a short lifespan (e.g., less than 5 minutes).
Scenario: An IT helpdesk tool like ServiceNow or Jira is configured to generate OneNote attachments for incident reports stored in a secure folder.
Filter/Exclusion: Exclude files created in a known secure directory (e.g., C:\IT\Reports\) or files with a specific naming pattern (e.g., report_*.one).