[QueryCorner][March2023] Deep Diving into OneNote Attacks

Purpose

This post is going to cover how the Sophos Central Adaptive Cybersecurity Ecosystem (ACE) empowers an analyst to maximize time spent hunting across their environment. We will focus our attention to a trend in attacks -- using Microsoft OneNote files.

Why? Simple--Microsoft put restrictions on the use of macros in Word and Excel documents. This has made it challenging for adversaries to follow their traditional playbooks. Their solution? Quite simple too -- send the target a OneNote file with embedded files.

This post is the Query Corner's version of "March Madness"

Prerequisites

You must have XDR enabled in your environment. Sophos Email Security or XG/XGS Firewall Series will be required for some of the queries.

DISCLAIMER: Query #1 and #2 rely upon Microsoft 365 Administrative Templates to be successful. These links are provided "as-is" and Sophos does not support them in any capacity.

Query #1 - Live Discover - Check if Embedded Files Are Restricted

NOTE: Please verify you have met the prerequisites.

SELECT name, datetime(mtime,'unixepoch','localtime') as modifiedTime,
   CASE 
    WHEN DATA = '1' THEN 'Enabled'
    WHEN DATA = '0' THEN 'Disabled'
    ELSE 'key not found'
   END AS Status
FROM registry WHERE path LIKE 'HKEY_USERS\%\Software\Policies\Microsoft\office\%\onenote\options\%%'
AND name = 'disableembeddedfiles'

Result #1

 

If your agent reports enabled, then OneNote will be restricted from loading ANY embedded file type. If this returns nothing, the Admin Templates are not enabled to the device(s) or this is not configured.

Query #2 - Live Discover - Check if Embedded File Types Are Filtered

NOTE: Please verify you have met the prerequisite.

/* 
-- author: jkopacko

  += version 1.0 - 03/06/2023

*/

SELECT name, 
    REPLACE(data, ';', ' ') AS fileTypes, 
    datetime(mtime,'unixepoch','localtime') as modifiedTime
FROM registry 
WHERE path LIKE 'HKEY_USERS\%\Software\Policies\Microsoft\office\%\onenote\options\embeddedfileopenoptions\%%'
AND name = 'blockedextensions'

Result #2

 

If this returns nothing, the Admin Templates are not enabled to the device(s) or the mitigation is not configured.

The fileTypes column has removed the proper formatting to make it easier for the analyst to read. The Group Policy formatting will look like ".ext1;.ext2;.ext3;.etc" naturally.

Query #3 - Live Discover - Hunting for OneNote File Types

NOTE: This can be resource intensive

/* 
-- author: jkopacko

  += Descriptive names: startTime
  += Variable type: Date
  += Value: wildcards work but discouraged due to resource demand
  += version 1.0 - 03/06/2023

*/

SELECT sfp.sha256,
f.path,
f.filename,
datetime(f.atime,'unixepoch','localtime') AS Last_Accessed,
datetime(f.mtime,'unixepoch','localtime') AS Last_Modified,
datetime(f.ctime,'unixepoch','localtime') AS Creation_Time
FROM file f
LEFT JOIN sophos_file_properties sfp
	ON f.path = sfp.path
WHERE f.filename LIKE '%.one'
AND  (f.path LIKE 'C:\Users\Public\%%'
    OR f.path LIKE 'C:\Users\%\Downloads\%'
    OR f.path LIKE 'C:\Users\%\Documents\%'
    OR f.path LIKE 'C:\Users\%\Desktop\%'
    OR f.path LIKE 'C:\Users\%\Music\%%'
    OR f.path LIKE 'C:\Users\%\Pictures\%%'
    OR f.path LIKE 'C:\Users\%\AppData\Local\Temp\%'
    OR f.path LIKE 'C:\Users\%\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\%')
    --Can add more search locations but will task the service further
    /*
    OR f.path LIKE 'C:\ProgramData\%'
    OR f.path LIKE 'C:\Perflogs\%'
    OR f.path LIKE 'C:\Intel\%'
    OR f.path LIKE 'C:\Temp\%'
    OR f.path LIKE 'C:\Windows\%'
    OR f.path LIKE 'C:\Windows\Temp\%'
    OR f.path LIKE 'C:\Windows\System32\%'
    OR f.path LIKE 'C:\Windows\SysWOW64\%')
    */
AND datetime(f.ctime,'unixepoch','localtime') > $$startTime$$

NOTE: Later versions of this query will be modified for gathering data sets in intervals of 6-8 hours to allow for longer hunting times

Result #3

 

NOTE: We could use this query to hunt for a specific SHA256 discovery if we received Threat Intel on an IoC/IoA.

Query #4 - Data Lake: Email - Find Emails with Attachments

Good news! This is already available in your Dashboard Today.

Navigate to Live Discover > Data Lake > Email > Find Emails with Attachments

Enter the query as shown below:

You can use wildcards within the values of the variables. Here I am expanding this to search of ANY (%) attachment name with the OneNote file extension (.one).

Result #4

Query #5 - Data Lake: Firewall - Find OneNote File Downloads

NOTE: I am using TLS decryption in my Lab environment

SELECT timestamp,
log_type,
log_component,
log_subtype,
severity,
user_name,
src_ip,
dst_ip,
dst_port,
app_name,
app_category,
app_risk,
url,
download_file_name,
download_file_type
FROM xgfw_data
WHERE download_file_name LIKE '%.one'

Result #5

NOTE: this screenshot is missing several categories, but the destination info is what we really care about, right? ;)


Happy querying!

-jk



Added Disclaimer
[edited by: GlennSen at 4:02 PM (GMT -7) on 5 Apr 2023]
Parents
  • Good stuff JK!
    Query #5 can also be used with a variable:

    --Insert variable $$filename$$ as STRING

    SELECT timestamp,
    log_type,
    log_component,
    log_subtype,
    severity,
    user_name,
    src_ip,
    dst_ip,
    dst_port,
    app_name,
    app_category,
    app_risk,
    url,
    download_file_name,
    download_file_type
    FROM xgfw_data
    WHERE download_file_name LIKE '$$filename$$'

Reply
  • Good stuff JK!
    Query #5 can also be used with a variable:

    --Insert variable $$filename$$ as STRING

    SELECT timestamp,
    log_type,
    log_component,
    log_subtype,
    severity,
    user_name,
    src_ip,
    dst_ip,
    dst_port,
    app_name,
    app_category,
    app_risk,
    url,
    download_file_name,
    download_file_type
    FROM xgfw_data
    WHERE download_file_name LIKE '$$filename$$'

Children
No Data