Detectionhightest

Suspicious Microsoft OneNote Child Process

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim Rauch, Nasreddine Bencherchali (Nextron Systems), Elastic SecurityCreated Fri Oct 21Updated Fri Feb 10c27515df-97a9-4162-8a60-dc0eeb51b775windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent:
        ParentImage|endswith: '\onenote.exe'
    selection_opt_img:
        - OriginalFileName:
              - 'bitsadmin.exe'
              - 'CertOC.exe'
              - 'CertUtil.exe'
              - 'Cmd.Exe'
              - 'CMSTP.EXE'
              - 'cscript.exe'
              - 'curl.exe'
              - 'HH.exe'
              - 'IEExec.exe'
              - 'InstallUtil.exe'
              - 'javaw.exe'
              - 'Microsoft.Workflow.Compiler.exe'
              - 'msdt.exe'
              - 'MSHTA.EXE'
              - 'msiexec.exe'
              - 'Msxsl.exe'
              - 'odbcconf.exe'
              - 'pcalua.exe'
              - 'PowerShell.EXE'
              - 'RegAsm.exe'
              - 'RegSvcs.exe'
              - 'REGSVR32.exe'
              - 'RUNDLL32.exe'
              - 'schtasks.exe'
              - 'ScriptRunner.exe'
              - 'wmic.exe'
              - 'WorkFolders.exe'
              - 'wscript.exe'
        - Image|endswith:
              - '\AppVLP.exe'
              - '\bash.exe'
              - '\bitsadmin.exe'
              - '\certoc.exe'
              - '\certutil.exe'
              - '\cmd.exe'
              - '\cmstp.exe'
              - '\control.exe'
              - '\cscript.exe'
              - '\curl.exe'
              - '\forfiles.exe'
              - '\hh.exe'
              - '\ieexec.exe'
              - '\installutil.exe'
              - '\javaw.exe'
              - '\mftrace.exe'
              - '\Microsoft.Workflow.Compiler.exe'
              - '\msbuild.exe'
              - '\msdt.exe'
              - '\mshta.exe'
              - '\msidb.exe'
              - '\msiexec.exe'
              - '\msxsl.exe'
              - '\odbcconf.exe'
              - '\pcalua.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regasm.exe'
              - '\regsvcs.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\schtasks.exe'
              - '\scrcons.exe'
              - '\scriptrunner.exe'
              - '\sh.exe'
              - '\svchost.exe'
              - '\verclsid.exe'
              - '\wmic.exe'
              - '\workfolders.exe'
              - '\wscript.exe'
    selection_opt_explorer:
        Image|endswith: '\explorer.exe'
        CommandLine|contains:
            - '.hta'
            - '.vb'
            - '.wsh'
            - '.js'
            - '.ps'
            - '.scr'
            - '.pif'
            - '.bat'
            - '.cmd'
    selection_opt_paths:
        Image|contains:
            - '\AppData\'
            - '\Users\Public\'
            - '\ProgramData\'
            - '\Windows\Tasks\'
            - '\Windows\Temp\'
            - '\Windows\System32\Tasks\'
    filter_teams:
        Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
        CommandLine|endswith: '-Embedding'
    filter_onedrive:
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
        Image|endswith: '\FileCoAuth.exe'
        CommandLine|endswith: '-Embedding'
    condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*