Shop Our Merch Report A Breach 1-877-550-4728

Home > Resources > Blog > How Threat Actors Use OneNote to Deploy ASyncRAT

How Threat Actors Use OneNote to Deploy ASyncRAT

February 1, 2023

By Carlos Perez in Incident Response, Incident Response & Forensics, Malware Analysis, Office 365 Security Assessment, Threat Hunting

See how Research Team Lead Carlos Perez dissects a sample of a OneNote document that was used to deploy ASyncRAT, an open-source remote admin tool, to enable phishing attacks. You’ll find out how these OneNote files are now being used by threat actors and where to find the location that ASyncRAT is being downloaded and executed.

The detection for this attack is included in the TrustedSec Sysmon Configuration and will allow you to monitor and block actions taken with this technique.
https://github.com/trustedsec/defensive-scripts/blob/main/onenote_asyncrat_dropper.xml

More Like This

Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

March 17, 2023

By Olivia Cate, Justin Elze, Nick Gilberti, Leo Bastidas, Robert R. Lee Jr., Andrew Schwartz, Carlos Perez and Oddvar Moe in Incident Response, Incident Response & Forensics, Purple Team Adversarial Detection & Countermeasures, Research, Vulnerability Assessment

Red vs. Blue: Kerberos Ticket Times, Checksums, and You!

March 14, 2023

By Andrew Schwartz in Incident Response, Incident Response & Forensics, Penetration Testing, Purple Team Adversarial Detection & Countermeasures, Threat Hunting

Getting Analysis Practice from Windows Event Log Sample Attacks

March 7, 2023

By Thomas Millar in Incident Response, Incident Response & Forensics