Query Details
One Note Zeroday
Query
Tags:
Query:
DeviceProcessEvents
| where InitiatingProcessFileName contains "onenote" and FileName !in ("crashpad_handler.exe", "conhost.exe","MSOSYNC.EXE","msedge.exe","msedgewebview2.exe","chrome.exe","firefox.exe","opera.exe","brave.exe","iexplore.exe","WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","AcroRd32.exe","Acrobat.exe","ONENOTEM.exe","OUTLOOK.exe","ai.exe","Teams.exe","notepad.exe","protocolhandler.exe","ONENOTE.EXE","splwow64.exe")
| where FileName != @"ONENOTEM.EXE" and FolderPath != @"/usr/bin/codesign" and FolderPath != @"C:\Windows\System32\DWWIN.EXE"
References:
Explanation
This query filters DeviceProcessEvents based on certain conditions. It selects events where the InitiatingProcessFileName contains "onenote" and the FileName does not match a list of excluded processes. It also excludes events where the FileName is "ONENOTEM.EXE" and the FolderPath is either "/usr/bin/codesign" or "C:\Windows\System32\DWWIN.EXE".
Details
Ali Hussein
Released: September 30, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,InitiatingProcessFileName,FileName,crashpad_handler.exe,conhost.exe,MSOSYNC.EXE,msedge.exe,msedgewebview2.exe,chrome.exe,firefox.exe,opera.exe,brave.exe,iexplore.exe,WINWORD.EXE,EXCEL.EXE,POWERPNT.EXE,AcroRd32.exe,Acrobat.exe,ONENOTEM.exe,OUTLOOK.exe,ai.exe,Teams.exe,notepad.exe,protocolhandler.exe,ONENOTE.EXE,splwow64.exe,ONENOTEM.EXE,/usr/bin/codesign,C:\Windows\System32\DWWIN.EXE
Operators
contains!in!=!=!=@@@