cscli scenarios install sigmahq/proc_creation_win_office_onenote_embedded_script_execution1type: trigger2name: sigmahq/proc_creation_win_office_onenote_embedded_script_execution3description: |4 Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.ParentImage endsWith '\\onenote.exe' && (evt.Parsed.Image endsWith '\\cmd.exe' || evt.Parsed.Image endsWith '\\cscript.exe' || evt.Parsed.Image endsWith '\\mshta.exe' || evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.Image endsWith '\\wscript.exe') && (evt.Parsed.CommandLine contains '\\exported\\' || evt.Parsed.CommandLine contains '\\onenoteofflinecache_files\\'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1218.0011516 label: "OneNote.EXE Execution of Malicious Embedded Scripts"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324