Adversaries may use the OneNote application to create and exfiltrate malicious files, leveraging its legitimate execution context to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence mechanisms used by advanced threats.
Detection Rule
title: Suspicious File Created Via OneNote Application
id: fcc6d700-68d9-4241-9a1a-06874d621b06
status: test
description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/MaD_c4t/status/1623414582382567424
- https://labs.withsecure.com/publications/detecting-onenote-abuse
- https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
- https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-09
modified: 2023-02-27
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\onenote.exe'
- '\onenotem.exe'
- '\onenoteim.exe'
TargetFilename|contains: '\AppData\Local\Temp\OneNote\'
TargetFilename|endswith:
# TODO: Add more suspicious extensions
- '.bat'
- '.chm'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.htm'
- '.html'
- '.js'
- '.lnk'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.
- Occasional FPs might occur if OneNote is used internally to share different embedded documents
level: high
imFileEvent
| where (TargetFilePath endswith "\\onenote.exe" or TargetFilePath endswith "\\onenotem.exe" or TargetFilePath endswith "\\onenoteim.exe") and TargetFileName contains "\\AppData\\Local\\Temp\\OneNote\\" and (TargetFileName endswith ".bat" or TargetFileName endswith ".chm" or TargetFileName endswith ".cmd" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".htm" or TargetFileName endswith ".html" or TargetFileName endswith ".js" or TargetFileName endswith ".lnk" or TargetFileName endswith ".ps1" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".wsf")Scenario: A system administrator creates a OneNote file to document a recent security incident or incident response activity.
Filter/Exclusion: Exclude files created by users with administrative privileges or those in the C:\Windows\System32 directory.
Example Filter: process.parent_process != "C:\Windows\System32\svchost.exe" or user.account_type == "Administrator"
Scenario: A scheduled job runs a script that generates a OneNote file for logging purposes, such as audit logs or system health reports.
Filter/Exclusion: Exclude files created by scheduled tasks with known legitimate names, such as TaskScheduler or LogCollector.
Example Filter: process.name == "schtasks.exe" or process.command_line contains "LogCollector"
Scenario: A developer uses OneNote to document code changes or project updates, which is part of their normal workflow.
Filter/Exclusion: Exclude files created by users in the development team or those in a specific folder structure like C:\Dev\Notes.
Example Filter: user.group == "Developers" or file.path contains "C:\Dev\Notes"
Scenario: A user receives a OneNote file via email or shared drive and opens it as part of a legitimate collaboration process.
Filter/Exclusion: Exclude files opened from trusted email domains or shared drives, such as those from internal Microsoft 365 or SharePoint.
Example Filter: file.source == "Microsoft 365" or file.path contains "SharePoint"
Scenario: A system update or patch process generates a temporary OneNote file for documentation or logging during installation.
Filter/Exclusion: Exclude files created during system updates or by known update services like Windows Update or WSUS.
Example Filter: `process.name