Onenote Spawning Suspicious Processes
Query
DeviceProcessEvents
| where InitiatingProcessParentFileName contains @"ONENOTE.EXE"
| where InitiatingProcessFileName has_any (@"powershell.exe", @"pwsh.exe", @"wscript.exe", @"cscript.exe", @"mshta.exe", @"cmd.exe")About this query
OneNote spawning suspicious processes
Description
This query detects processes spawned by onenote.exe that could reflect malicious activity. Query has been created during 2/2023 where OneNote has been widely abused to deliver malware.
References
- https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
- https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Privilege Escalation
- Technique ID: T1055.012
- Process Injection: Process Hollowing
Source
- MDE
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 08/02/2023 | Initial publish |
| 1.1 | 23/05/2023 | Modified template, ATT&CK map |
Explanation
This query is designed to detect any suspicious processes that are spawned by the onenote.exe application. It was created in response to the widespread abuse of OneNote to deliver malware. The query looks for processes that are initiated by onenote.exe and have filenames such as powershell.exe, pwsh.exe, wscript.exe, cscript.exe, mshta.exe, or cmd.exe. The purpose of this query is to identify any potentially malicious activity associated with OneNote.
