Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ScanOnenote Scanner #298

Merged
merged 5 commits into from
Feb 3, 2023
Merged

ScanOnenote Scanner #298

merged 5 commits into from
Feb 3, 2023

Conversation

phutelmyer
Copy link
Contributor

@phutelmyer phutelmyer commented Jan 25, 2023
edited
Loading

Describe the change
Microsoft OneNote, included in Microsoft Office 2019 and Microsoft 365, is a note-taking and collaboration tool.

The OneNote documents themselves can contain embedded files, like executables, images, or compressed files. In some malware campaigns, threat actors have been observed hiding redirect code behind an image that looks like a button, and upon clicking the image, the file will execute. The file might be different kinds of executables, shortcut (LNK) files, or script files such as HTML application (HTA) or Windows script file (WSF).

This change provides Strelka with the ability to identify and extract files from Onenote files (.one and .onepkg files). Given a OneNote file, Strelka will extract subfiles, which are then placed back into the Strelka pipeline for processing. This can be useful for identifying anomalous files inside of OneNote files, such as scripts.

Describe testing procedures
Malicious OneNote samples as well as test files (src/python/strelka/tests/fixtures/test.one and src/python/strelka/tests/fixtures/test.onepkg) were tested against this scanner. Observed events include the OneNote file itself (which holds no metadata at the moment) as well as child files of that OneNote file.

============================= test session starts ==============================
platform linux -- Python 3.10.6, pytest-7.2.0, pluggy-1.0.0
rootdir: /strelka
plugins: unordered-0.5.2, mock-3.10.0
collected 104 items
...
tests/test_scan_ole.py ....
tests/test_scan_onenote.py ..
tests/test_scan_pcap.py ..
...
====================== 104 passed, 26 warnings in 58.50s =======================

Sample output

You can observe anomalous files using this scanner by exploring events with the key file.source of ScanOnenote. This key implies that the event is a child of a file identified and scanned with the OneNote scanner. An example of this can be seen below:

Parent OneNote File Sample
Shows that a OneNote file was identified and ScanOnenote was executed against that file.

{
  "file": {
    "depth": 0,
    "flavors": {
      "mime": [
        "application/octet-stream"
      ],
      "yara": [
        "onenote_file"
      ]
    },
    "name": "REMOVED",
    "scanners": [
      "ScanEntropy",
      "ScanFooter",
      "ScanHash",
      "ScanHeader",
      "ScanOnenote",
      "ScanYara"

    **"onenote": {
      "elapsed": 0.015488
    },**
    "yara": {
      "elapsed": 0.043428,...
  ...
}

Child Script File
Shows that a OneNote file was the source of this file and appropriate scanners were run against this file (as this is a Batch file, ScanBatch was ran against this. Batch files are atypical child files of OneNote notebooks.

{
  "file": {
    **"depth": 1,**
    "flavors": {
      "mime": [
        "text/x-msdos-batch"
      ]
    },
    "name": "REMOVED",
    "scanners": [
      "ScanBatch",
      "ScanEntropy",
      "ScanFooter",
      "ScanHash",
      "ScanHeader",
      "ScanYara"
    ],
    "size": 50582,
    "source": "ScanOnenote",
    "tree": {
      "node": "a7d027b7-99a5-4314-bd3e-95a4f6ea978f",
      "parent": "e1e46b15-accc-48f6-99a9-7918e74acdd7",
      "root": "e1e46b15-accc-48f6-99a9-7918e74acdd7"
    }
  },
  **"scan": {
    "batch": {
      "elapsed": 0.024035,
      "strings": [
        "WUoV=set",
        "OjSRJIrFLn=ex",
        "MOJvZslwrv=Po",
        "cSdjTkwQXC=s\\\\",
        "RNnLdLhrkr=do",
        "wFVpokNJgI=rs",
      ...
      ]**
    }
  }
}

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of and tested my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

@phutelmyer phutelmyer marked this pull request as draft January 25, 2023 17:50
@phutelmyer phutelmyer changed the title init ScanOnenote Scanner Jan 25, 2023
@phutelmyer phutelmyer marked this pull request as ready for review February 3, 2023 16:02
@phutelmyer phutelmyer merged commit 6d79b3d into master Feb 3, 2023
cameron-dunn-sublime pushed a commit to sublime-security/strelka that referenced this pull request Feb 6, 2023
@phutelmyer @cameron-dunn-sublime
Merge pull request target#298 from target/scan-onenote
42400f5 
ScanOnenote Scanner

gcp -m 1 6d79b3d

Added additional yara rule which was picked up by cherry-pick,
and applied scanner config to our file.
cameron-dunn-sublime added a commit to sublime-security/strelka that referenced this pull request Feb 7, 2023
@cameron-dunn-sublime @phutelmyer
Merge OneNote and LNK Changes (#48)
cce3cd4 
* Merge pull request target#204 from target/scanner_update_scanlnk

Updating / Reformatting ScanLNK

* Merge pull request target#298 from target/scan-onenote

ScanOnenote Scanner

gcp -m 1 6d79b3d

Added additional yara rule which was picked up by cherry-pick,
and applied scanner config to our file.

---------

Co-authored-by: Paul Hutelmyer <paul.hutelmyer@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@phutelmyer