legitimate usage of \".one\" or \".onepkg\" files from those locations

windows
sigma

Techniques

Sample rules

OneNote Attachment File Dropped In Suspicious Location

source: sigma
technicques:

Description

Detects creation of files with the “.one”/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_onenote:
  Image|contains: :\Program Files\Microsoft Office\
  Image|endswith: \ONENOTE.EXE
selection:
  TargetFilename|contains:
  - \AppData\Local\Temp\
  - \Users\Public\
  - \Windows\Temp\
  - :\Temp\
  TargetFilename|endswith:
  - .one
  - .onepkg