Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the change
Microsoft OneNote, included in Microsoft Office 2019 and Microsoft 365, is a note-taking and collaboration tool.
The OneNote documents themselves can contain embedded files, like executables, images, or compressed files. In some malware campaigns, threat actors have been observed hiding redirect code behind an image that looks like a button, and upon clicking the image, the file will execute. The file might be different kinds of executables, shortcut (LNK) files, or script files such as HTML application (HTA) or Windows script file (WSF).
This change provides Strelka with the ability to identify and extract files from Onenote files (
.one
and.onepkg
files). Given a OneNote file, Strelka will extract subfiles, which are then placed back into the Strelka pipeline for processing. This can be useful for identifying anomalous files inside of OneNote files, such as scripts.Describe testing procedures
Malicious OneNote samples as well as test files (
src/python/strelka/tests/fixtures/test.one
andsrc/python/strelka/tests/fixtures/test.onepkg
) were tested against this scanner. Observed events include the OneNote file itself (which holds no metadata at the moment) as well as child files of that OneNote file.Sample output
You can observe anomalous files using this scanner by exploring events with the key
file.source
ofScanOnenote
. This key implies that the event is a child of a file identified and scanned with the OneNote scanner. An example of this can be seen below:Parent OneNote File Sample
Shows that a OneNote file was identified and ScanOnenote was executed against that file.
Child Script File
Shows that a OneNote file was the source of this file and appropriate scanners were run against this file (as this is a Batch file,
ScanBatch
was ran against this. Batch files are atypical child files of OneNote notebooks.Checklist