Query Details

Onenote Spawning Suspicious Processes

Query

DeviceProcessEvents
| where InitiatingProcessParentFileName contains @"ONENOTE.EXE"
| where InitiatingProcessFileName has_any (@"powershell.exe", @"pwsh.exe", @"wscript.exe", @"cscript.exe", @"mshta.exe", @"cmd.exe")

About this query

OneNote spawning suspicious processes

Description

This query detects processes spawned by onenote.exe that could reflect malicious activity. Query has been created during 2/2023 where OneNote has been widely abused to deliver malware.

References

Microsoft 365 Defender & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

  • MDE

Versioning

VersionDateComments
1.008/02/2023Initial publish
1.123/05/2023Modified template, ATT&CK map

Explanation

This query is designed to detect any suspicious processes that are spawned by the onenote.exe application. It was created in response to the widespread abuse of OneNote to deliver malware. The query looks for processes that are initiated by onenote.exe and have filenames such as powershell.exe, pwsh.exe, wscript.exe, cscript.exe, mshta.exe, or cmd.exe. The purpose of this query is to identify any potentially malicious activity associated with OneNote.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceProcessEvents

Keywords

DevicesIntuneUser

Operators

wherecontainshas_any

MITRE Techniques

Actions

GitHub