Query Details

AsyncRAT Initial Access Campaign via OneNote files

Behavior Async RAT Initial Access

Query

EmailEvents
// Only select inbound mails
| where EmailDirection == "Inbound"
// Join the attachment information where onenote files have been send
| join kind=inner (EmailAttachmentInfo
     | where FileType == "one;onenote")
     on NetworkMessageId
| project SenderFromAddress, RecipientEmailAddress, Subject, FileName, SHA256
// Join the file events, which means that the attachment has been opened.
| join kind=inner (DeviceFileEvents
     | project DeviceName, SHA256, FolderPath)
     on SHA256

About this query

Explanation

This query is designed to help identify potential security threats in your environment related to the delivery of AsyncRAT malware through OneNote files. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to detect instances where OneNote files, potentially containing AsyncRAT malware, have been sent via email and subsequently opened by a user.

  2. Process:

    • It starts by filtering for inbound emails, meaning emails that have been received by users in your organization.
    • It then looks for emails that have OneNote file attachments by checking the file type.
    • The query collects information about these emails, including the sender's address, recipient's address, email subject, file name, and the file's unique identifier (SHA256).
    • Next, it checks if these OneNote attachments have been opened by joining this information with device file events, which logs when files are accessed on a device.
  3. Outcome: The query does not determine if the OneNote file is malicious on its own. Instead, it flags instances where a OneNote file has been received and opened, which could indicate a potential security risk that needs further investigation.

  4. Risk: If a malicious OneNote file is opened, it could lead to the execution of AsyncRAT, a type of malware that can compromise the security of the affected system.

  5. Usage: This query is a starting point for security teams to hunt for potentially malicious activity involving OneNote files and to take appropriate action if a threat is identified.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

EmailEventsEmailAttachmentInfoDeviceFileEvents

Keywords

EmailEventsAttachmentInfoDeviceFile

Operators

EmailEventswherejoinkind=inneronproject

MITRE Techniques

Actions

GitHub