Skip to Main Content
February 01, 2023

How Threat Actors Use OneNote to Deploy ASyncRAT

Written by Carlos Perez
Incident Response Incident Response & Forensics Malware Analysis Office 365 Security Assessment Threat Hunting

See how Research Team Lead Carlos Perez dissects a sample of a OneNote document that was used to deploy ASyncRAT, an open-source remote admin tool, to enable phishing attacks. You’ll find out how these OneNote files are now being used by threat actors and where to find the location that ASyncRAT is being downloaded and executed.

The detection for this attack is included in the TrustedSec Sysmon Configuration and will allow you to monitor and block actions taken with this technique.