detection.wiki

Detection rules › Sigma

Suspicious Microsoft OneNote Child Process

Severity
high
Author
Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
Source
upstream

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566 Phishing, T1566.001 Phishing: Spearphishing Attachment

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection_parent

ParentImage|endswith: '\onenote.exe'

Stage 2: 1 of selection_opt_img

or:
Image|endswith: '\AppVLP.exe'
Image|endswith: '\Microsoft.Workflow.Compiler.exe'
Image|endswith: '\bash.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\certoc.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cmstp.exe'
Image|endswith: '\control.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\curl.exe'
Image|endswith: '\forfiles.exe'
Image|endswith: '\hh.exe'
Image|endswith: '\ieexec.exe'
Image|endswith: '\installutil.exe'
Image|endswith: '\javaw.exe'
Image|endswith: '\mftrace.exe'
Image|endswith: '\msbuild.exe'
Image|endswith: '\msdt.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\msidb.exe'
Image|endswith: '\msiexec.exe'
Image|endswith: '\msxsl.exe'
Image|endswith: '\odbcconf.exe'
Image|endswith: '\pcalua.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regasm.exe'
Image|endswith: '\regsvcs.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\scrcons.exe'
Image|endswith: '\scriptrunner.exe'
Image|endswith: '\sh.exe'
Image|endswith: '\svchost.exe'
Image|endswith: '\verclsid.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\workfolders.exe'
Image|endswith: '\wscript.exe'
OriginalFileName: CMSTP.EXE
OriginalFileName: CertOC.exe
OriginalFileName: CertUtil.exe
OriginalFileName: Cmd.Exe
OriginalFileName: HH.exe
OriginalFileName: IEExec.exe
OriginalFileName: InstallUtil.exe
OriginalFileName: MSHTA.EXE
OriginalFileName: Microsoft.Workflow.Compiler.exe
OriginalFileName: Msxsl.exe
OriginalFileName: PowerShell.EXE
OriginalFileName: REGSVR32.exe
OriginalFileName: RUNDLL32.exe
OriginalFileName: RegAsm.exe
OriginalFileName: RegSvcs.exe
OriginalFileName: ScriptRunner.exe
OriginalFileName: WorkFolders.exe
OriginalFileName: bitsadmin.exe
OriginalFileName: cscript.exe
OriginalFileName: curl.exe
OriginalFileName: javaw.exe
OriginalFileName: msdt.exe
OriginalFileName: msiexec.exe
OriginalFileName: odbcconf.exe
OriginalFileName: pcalua.exe
OriginalFileName: schtasks.exe
OriginalFileName: wmic.exe
OriginalFileName: wscript.exe

Stage 3: 1 of selection_opt_explorer

or:
CommandLine|contains: .bat
CommandLine|contains: .cmd
CommandLine|contains: .hta
CommandLine|contains: .js
CommandLine|contains: .pif
CommandLine|contains: .ps
CommandLine|contains: .scr
CommandLine|contains: .vb
CommandLine|contains: .wsh
Image|endswith: '\explorer.exe'

Stage 4: 1 of selection_opt_paths

or:
Image|contains: '\AppData\'
Image|contains: '\ProgramData\'
Image|contains: '\Users\Public\'
Image|contains: '\Windows\System32\Tasks\'
Image|contains: '\Windows\Tasks\'
Image|contains: '\Windows\Temp\'

Stage 5: not 1 of filter_*

or:
CommandLine|endswith: -Embedding
Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
CommandLine|endswith: -Embedding
Image|endswith: '\FileCoAuth.exe'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • -Embedding
CommandLinematch
  • .bat corpus 8 (sigma 8)
  • .cmd corpus 5 (sigma 5)
  • .hta corpus 5 (sigma 5)
  • .js corpus 6 (sigma 6)
  • .pif
  • .ps corpus 3 (sigma 3)
  • .scr corpus 5 (sigma 5)
  • .vb corpus 3 (sigma 3)
  • .wsh corpus 2 (sigma 2)
Imageends_with
  • \AppData\Local\Microsoft\Teams\current\Teams.exe corpus 2 (sigma 2)
  • \AppVLP.exe corpus 6 (sigma 6)
  • \FileCoAuth.exe
  • \Microsoft.Workflow.Compiler.exe corpus 2 (sigma 2)
  • \bash.exe corpus 17 (sigma 17)
  • \bitsadmin.exe corpus 23 (sigma 23)
  • \certoc.exe corpus 10 (sigma 10)
  • \certutil.exe corpus 34 (sigma 34)
  • \cmd.exe corpus 92 (sigma 92)
  • \cmstp.exe corpus 9 (sigma 9)
  • \control.exe corpus 3 (sigma 3)
  • \cscript.exe corpus 64 (sigma 64)
  • \curl.exe corpus 19 (sigma 19)
  • \explorer.exe corpus 12 (sigma 12)
  • \forfiles.exe corpus 11 (sigma 11)
  • \hh.exe corpus 14 (sigma 14)
  • \ieexec.exe corpus 2 (sigma 2)
  • \installutil.exe corpus 5 (sigma 5)
  • \javaw.exe corpus 2 (sigma 2)
  • \mftrace.exe corpus 6 (sigma 6)
  • \msbuild.exe corpus 7 (sigma 7)
  • \msdt.exe corpus 10 (sigma 10)
  • \mshta.exe corpus 57 (sigma 57)
  • \msidb.exe corpus 2 (sigma 2)
  • \msiexec.exe corpus 21 (sigma 21)
  • \msxsl.exe corpus 7 (sigma 7)
  • \odbcconf.exe corpus 11 (sigma 11)
  • \pcalua.exe corpus 3 (sigma 3)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \regasm.exe corpus 4 (sigma 4)
  • \regsvcs.exe corpus 3 (sigma 3)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \rundll32.exe corpus 76 (sigma 76)
  • \schtasks.exe corpus 45 (sigma 45)
  • \scrcons.exe corpus 8 (sigma 8)
  • \scriptrunner.exe corpus 8 (sigma 8)
  • \sh.exe corpus 13 (sigma 13)
  • \svchost.exe corpus 20 (sigma 20)
  • \verclsid.exe corpus 4 (sigma 4)
  • \wmic.exe corpus 37 (sigma 37)
  • \workfolders.exe corpus 2 (sigma 2)
  • \wscript.exe corpus 64 (sigma 64)
Imagematch
  • \AppData\ corpus 9 (sigma 9)
  • \AppData\Local\Microsoft\OneDrive\ corpus 4 (sigma 4)
  • \ProgramData\ corpus 2 (sigma 2)
  • \Users\Public\ corpus 8 (sigma 8)
  • \Windows\System32\Tasks\ corpus 4 (sigma 4)
  • \Windows\Tasks\ corpus 4 (sigma 4)
  • \Windows\Temp\ corpus 7 (sigma 7)
OriginalFileNameeq
  • CMSTP.EXE corpus 4 (sigma 4)
  • CertOC.exe corpus 6 (sigma 6)
  • CertUtil.exe corpus 13 (sigma 13)
  • Cmd.Exe corpus 32 (sigma 30, splunk 2)
  • HH.exe corpus 5 (sigma 5)
  • IEExec.exe corpus 3 (sigma 3)
  • InstallUtil.exe corpus 5 (sigma 5)
  • MSHTA.EXE corpus 7 (sigma 7)
  • Microsoft.Workflow.Compiler.exe corpus 2 (sigma 2)
  • Msxsl.exe corpus 2 (sigma 2)
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • REGSVR32.exe corpus 2 (sigma 2)
  • RUNDLL32.exe corpus 3 (sigma 3)
  • RegAsm.exe corpus 6 (sigma 6)
  • RegSvcs.exe corpus 5 (sigma 5)
  • ScriptRunner.exe corpus 3 (sigma 3)
  • WorkFolders.exe corpus 2 (sigma 2)
  • bitsadmin.exe corpus 9 (sigma 9)
  • cscript.exe corpus 15 (sigma 15)
  • curl.exe corpus 11 (sigma 11)
  • javaw.exe corpus 2 (sigma 2)
  • msdt.exe corpus 6 (sigma 6)
  • msiexec.exe corpus 5 (sigma 5)
  • odbcconf.exe corpus 9 (sigma 9)
  • pcalua.exe corpus 2 (sigma 2)
  • schtasks.exe corpus 14 (sigma 14)
  • wmic.exe corpus 33 (sigma 33)
  • wscript.exe corpus 15 (sigma 15)
ParentImageends_with
  • \onenote.exe corpus 3 (sigma 3)