heroui logo

Suspicious Microsoft OneNote Child Process

Sigma Rules

View Source
Summary
This detection rule focuses on identifying potentially malicious child processes spawned by the Microsoft OneNote application. Given the rise in attacks utilizing embedded objects within OneNote files (.one), this rule has been designed to intercept any suspicious process creations that may signal an attempt to execute those malicious objects. The rule leverages process creation logs from Windows to track any child process which has OneNote as its parent and checks their properties against a list of known executable names and command-line patterns commonly used in these attacks. Conditions include filtering out benign cases, such as executions related to Microsoft Teams and OneDrive, thereby reducing false positives. It consolidates various indicators to create a holistic view of potentially dangerous behavior stemming from OneNote, resulting in a high confidence level for detections.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2022-10-21