AsyncRAT Initial Access Campaign via OneNote files
Behavior Async RAT Initial Access
Query
EmailEvents
// Only select inbound mails
| where EmailDirection == "Inbound"
// Join the attachment information where onenote files have been send
| join kind=inner (EmailAttachmentInfo
| where FileType == "one;onenote")
on NetworkMessageId
| project SenderFromAddress, RecipientEmailAddress, Subject, FileName, SHA256
// Join the file events, which means that the attachment has been opened.
| join kind=inner (DeviceFileEvents
| project DeviceName, SHA256, FolderPath)
on SHA256About this query
Explanation
This query is designed to help identify potential security threats in your environment related to the delivery of AsyncRAT malware through OneNote files. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to detect instances where OneNote files, potentially containing AsyncRAT malware, have been sent via email and subsequently opened by a user.
-
Process:
- It starts by filtering for inbound emails, meaning emails that have been received by users in your organization.
- It then looks for emails that have OneNote file attachments by checking the file type.
- The query collects information about these emails, including the sender's address, recipient's address, email subject, file name, and the file's unique identifier (SHA256).
- Next, it checks if these OneNote attachments have been opened by joining this information with device file events, which logs when files are accessed on a device.
-
Outcome: The query does not determine if the OneNote file is malicious on its own. Instead, it flags instances where a OneNote file has been received and opened, which could indicate a potential security risk that needs further investigation.
-
Risk: If a malicious OneNote file is opened, it could lead to the execution of AsyncRAT, a type of malware that can compromise the security of the affected system.
-
Usage: This query is a starting point for security teams to hunt for potentially malicious activity involving OneNote files and to take appropriate action if a threat is identified.
