High Severity
Attachment: Malicious OneNote Commands
Labels
Description
Scans for OneNote attachments that contain suspicious commands that may indicate malicious activity.
References
@Kyle_Parrish_
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(.file_extension in~ ("one") or .file_extension in~ $file_extensions_common_archives)
and any(file.explode(.),
"onenote_file" in .flavors.yara
and any(.scan.strings.strings,
strings.ilike(.,
"*WshShell*",
"*ExecuteCmdAsync*",
"*CreateObject*",
"*Wscript.Shell*",
"*schtasks*",
"*CreateProcess*",
"*winmgmts*",
"*SetEnvironmentVariable*",
"*powershell*",
"*echo off*"
)
)
)
)
Playground
Test against your own EMLs or sample data.