Techniques
Sample rules
Suspicious File Created Via OneNote Application
- source: sigma
- technicques:
Description
Detects suspicious files created via the OneNote application. This could indicate a potential malicious “.one”/".onepkg" file was executed as seen being used in malware activity in the wild
Detection logic
condition: selection
selection:
Image|endswith:
- \onenote.exe
- \onenotem.exe
- \onenoteim.exe
TargetFilename|contains: \AppData\Local\Temp\OneNote\
TargetFilename|endswith:
- .bat
- .chm
- .cmd
- .dll
- .exe
- .hta
- .htm
- .html
- .js
- .lnk
- .ps1
- .vbe
- .vbs
- .wsf