Techniques
Sample rules
Suspicious Microsoft OneNote Child Process
- source: sigma
- technicques:
- t1566
- t1566.001
Description
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Detection logic
condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*
filter_onedrive:
CommandLine|endswith: -Embedding
Image|contains: \AppData\Local\Microsoft\OneDrive\
Image|endswith: \FileCoAuth.exe
filter_teams:
CommandLine|endswith: -Embedding
Image|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe
selection_opt_explorer:
CommandLine|contains:
- .hta
- .vb
- .wsh
- .js
- .ps
- .scr
- .pif
- .bat
- .cmd
Image|endswith: \explorer.exe
selection_opt_img:
- OriginalFileName:
- bitsadmin.exe
- CertOC.exe
- CertUtil.exe
- Cmd.Exe
- CMSTP.EXE
- cscript.exe
- curl.exe
- HH.exe
- IEExec.exe
- InstallUtil.exe
- javaw.exe
- Microsoft.Workflow.Compiler.exe
- msdt.exe
- MSHTA.EXE
- msiexec.exe
- Msxsl.exe
- odbcconf.exe
- pcalua.exe
- PowerShell.EXE
- RegAsm.exe
- RegSvcs.exe
- REGSVR32.exe
- RUNDLL32.exe
- schtasks.exe
- ScriptRunner.exe
- wmic.exe
- WorkFolders.exe
- wscript.exe
- Image|endswith:
- \AppVLP.exe
- \bash.exe
- \bitsadmin.exe
- \certoc.exe
- \certutil.exe
- \cmd.exe
- \cmstp.exe
- \control.exe
- \cscript.exe
- \curl.exe
- \forfiles.exe
- \hh.exe
- \ieexec.exe
- \installutil.exe
- \javaw.exe
- \mftrace.exe
- \Microsoft.Workflow.Compiler.exe
- \msbuild.exe
- \msdt.exe
- \mshta.exe
- \msidb.exe
- \msiexec.exe
- \msxsl.exe
- \odbcconf.exe
- \pcalua.exe
- \powershell.exe
- \pwsh.exe
- \regasm.exe
- \regsvcs.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \scrcons.exe
- \scriptrunner.exe
- \sh.exe
- \svchost.exe
- \verclsid.exe
- \wmic.exe
- \workfolders.exe
- \wscript.exe
selection_opt_paths:
Image|contains:
- \AppData\
- \Users\Public\
- \ProgramData\
- \Windows\Tasks\
- \Windows\Temp\
- \Windows\System32\Tasks\
selection_parent:
ParentImage|endswith: \onenote.exe