Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Sigma rule (View on GitHub)
1title: Office Application Initiated Network Connection To Non-Local IP
2id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
3status: test
4description: |
5 Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
6 This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
7 This rule will require an initial baseline and tuning that is specific to your organization.
8references:
9 - https://corelight.com/blog/detecting-cve-2021-42292
10 - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
11author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
12date: 2021-11-10
13modified: 2024-07-02
14tags:
15 - attack.execution
16 - attack.t1203
17logsource:
18 category: network_connection
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\excel.exe'
24 - '\outlook.exe'
25 - '\powerpnt.exe'
26 - '\winword.exe'
27 - '\wordview.exe'
28 Initiated: 'true'
29 filter_main_local_ranges:
30 DestinationIp|cidr:
31 - '127.0.0.0/8'
32 - '10.0.0.0/8'
33 - '172.16.0.0/12'
34 - '192.168.0.0/16'
35 - '169.254.0.0/16'
36 - '::1/128' # IPv6 loopback
37 - 'fe80::/10' # IPv6 link-local addresses
38 - 'fc00::/7' # IPv6 private addresses
39 filter_main_msrange_generic:
40 DestinationIp|cidr:
41 - '20.184.0.0/13' # Microsoft Corporation
42 - '20.192.0.0/10' # Microsoft Corporation
43 - '23.72.0.0/13' # Akamai International B.V.
44 - '40.76.0.0/14' # Microsoft Corporation
45 - '51.10.0.0/15' # Microsoft Corporation
46 - '51.103.0.0/16' # Microsoft Corporation
47 - '51.104.0.0/15' # Microsoft Corporation
48 - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
49 - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
50 - '204.79.197.0/24' # Microsoft Corporation
51 filter_main_msrange_exchange_1:
52 # Exchange Online
53 # "urls": [
54 # "outlook.cloud.microsoft",
55 # "outlook.office.com",
56 # "outlook.office365.com"
57 # ]
58 DestinationIp|cidr:
59 - '13.107.6.152/31'
60 - '13.107.18.10/31'
61 - '13.107.128.0/22'
62 - '23.103.160.0/20'
63 - '40.96.0.0/13'
64 - '40.104.0.0/15'
65 - '52.96.0.0/14'
66 - '131.253.33.215/32'
67 - '132.245.0.0/16'
68 - '150.171.32.0/22'
69 - '204.79.197.215/32'
70 - '2603:1006::/40'
71 - '2603:1016::/36'
72 - '2603:1026::/36'
73 - '2603:1036::/36'
74 - '2603:1046::/36'
75 - '2603:1056::/36'
76 - '2620:1ec:4::152/128'
77 - '2620:1ec:4::153/128'
78 - '2620:1ec:c::10/128'
79 - '2620:1ec:c::11/128'
80 - '2620:1ec:d::10/128'
81 - '2620:1ec:d::11/128'
82 - '2620:1ec:8f0::/46'
83 - '2620:1ec:900::/46'
84 - '2620:1ec:a92::152/128'
85 - '2620:1ec:a92::153/128'
86 DestinationPort:
87 - 80
88 - 443
89 filter_main_msrange_exchange_2:
90 # Exchange Online
91 # "urls": [
92 # "outlook.office365.com",
93 # "smtp.office365.com"
94 # ]
95 DestinationIp|cidr:
96 - '13.107.6.152/31'
97 - '13.107.18.10/31'
98 - '13.107.128.0/22'
99 - '23.103.160.0/20'
100 - '40.96.0.0/13'
101 - '40.104.0.0/15'
102 - '52.96.0.0/14'
103 - '131.253.33.215/32'
104 - '132.245.0.0/16'
105 - '150.171.32.0/22'
106 - '204.79.197.215/32'
107 - '2603:1006::/40'
108 - '2603:1016::/36'
109 - '2603:1026::/36'
110 - '2603:1036::/36'
111 - '2603:1046::/36'
112 - '2603:1056::/36'
113 - '2620:1ec:4::152/128'
114 - '2620:1ec:4::153/128'
115 - '2620:1ec:c::10/128'
116 - '2620:1ec:c::11/128'
117 - '2620:1ec:d::10/128'
118 - '2620:1ec:d::11/128'
119 - '2620:1ec:8f0::/46'
120 - '2620:1ec:900::/46'
121 - '2620:1ec:a92::152/128'
122 - '2620:1ec:a92::153/128'
123 DestinationPort:
124 - 143
125 - 587
126 - 993
127 - 995
128 Protocol: 'tcp'
129 filter_main_msrange_exchange_3:
130 # Exchange Online
131 # "urls": [
132 # "*.protection.outlook.com"
133 # ]
134 DestinationIp|cidr:
135 - '40.92.0.0/15'
136 - '40.107.0.0/16'
137 - '52.100.0.0/14'
138 - '52.238.78.88/32'
139 - '104.47.0.0/17'
140 - '2a01:111:f400::/48'
141 - '2a01:111:f403::/48'
142 DestinationPort: 443
143 filter_main_msrange_exchange_4:
144 # Exchange Online
145 # "urls": [
146 # "*.mail.protection.outlook.com",
147 # "*.mx.microsoft"
148 # ]
149 DestinationIp|cidr:
150 - '40.92.0.0/15'
151 - '40.107.0.0/16'
152 - '52.100.0.0/14'
153 - '52.238.78.88/32'
154 - '104.47.0.0/17'
155 - '2a01:111:f400::/48'
156 - '2a01:111:f403::/48'
157 DestinationPort: 25
158 filter_main_msrange_sharepoint_1:
159 # SharePoint Online and OneDrive for Business",
160 # "urls": [
161 # "*.sharepoint.com"
162 # ]
163 DestinationIp|cidr:
164 - '13.107.136.0/22'
165 - '40.108.128.0/17'
166 - '52.104.0.0/14'
167 - '104.146.128.0/17'
168 - '150.171.40.0/22'
169 - '2603:1061:1300::/40'
170 - '2620:1ec:8f8::/46'
171 - '2620:1ec:908::/46'
172 - '2a01:111:f402::/48'
173 DestinationPort:
174 - 80
175 - 443
176 Protocol: 'tcp'
177 filter_main_msrange_office_1:
178 # Microsoft 365 Common and Office Online",
179 # "urls": [
180 # "*.officeapps.live.com",
181 # "*.online.office.com",
182 # "office.live.com"
183 # ],
184 DestinationIp|cidr:
185 - '13.107.6.171/32'
186 - '13.107.18.15/32'
187 - '13.107.140.6/32'
188 - '52.108.0.0/14'
189 - '52.244.37.168/32'
190 - '2603:1006:1400::/40'
191 - '2603:1016:2400::/40'
192 - '2603:1026:2400::/40'
193 - '2603:1036:2400::/40'
194 - '2603:1046:1400::/40'
195 - '2603:1056:1400::/40'
196 - '2603:1063:2000::/38'
197 - '2620:1ec:c::15/128'
198 - '2620:1ec:8fc::6/128'
199 - '2620:1ec:a92::171/128'
200 - '2a01:111:f100:2000::a83e:3019/128'
201 - '2a01:111:f100:2002::8975:2d79/128'
202 - '2a01:111:f100:2002::8975:2da8/128'
203 - '2a01:111:f100:7000::6fdd:6cd5/128'
204 - '2a01:111:f100:a004::bfeb:88cf/128'
205 DestinationPort:
206 - 80
207 - 443
208 Protocol: 'tcp'
209 filter_main_msrange_office_2:
210 # Microsoft 365 Common and Office Online
211 # "urls": [
212 # "*.auth.microsoft.com",
213 # "*.msftidentity.com",
214 # "*.msidentity.com",
215 # "account.activedirectory.windowsazure.com",
216 # "accounts.accesscontrol.windows.net",
217 # "adminwebservice.microsoftonline.com",
218 # "api.passwordreset.microsoftonline.com",
219 # "autologon.microsoftazuread-sso.com",
220 # "becws.microsoftonline.com",
221 # "ccs.login.microsoftonline.com",
222 # "clientconfig.microsoftonline-p.net",
223 # "companymanager.microsoftonline.com",
224 # "device.login.microsoftonline.com",
225 # "graph.microsoft.com",
226 # "graph.windows.net",
227 # "login-us.microsoftonline.com",
228 # "login.microsoft.com",
229 # "login.microsoftonline-p.com",
230 # "login.microsoftonline.com",
231 # "login.windows.net",
232 # "logincert.microsoftonline.com",
233 # "loginex.microsoftonline.com",
234 # "nexus.microsoftonline-p.com",
235 # "passwordreset.microsoftonline.com",
236 # "provisioningapi.microsoftonline.com"
237 # ]
238 DestinationIp|cidr:
239 - '20.20.32.0/19'
240 - '20.190.128.0/18'
241 - '20.231.128.0/19'
242 - '40.126.0.0/18'
243 - '2603:1006:2000::/48'
244 - '2603:1007:200::/48'
245 - '2603:1016:1400::/48'
246 - '2603:1017::/48'
247 - '2603:1026:3000::/48'
248 - '2603:1027:1::/48'
249 - '2603:1036:3000::/48'
250 - '2603:1037:1::/48'
251 - '2603:1046:2000::/48'
252 - '2603:1047:1::/48'
253 - '2603:1056:2000::/48'
254 - '2603:1057:2::/48'
255 DestinationPort:
256 - 80
257 - 443
258 Protocol: 'tcp'
259 filter_main_msrange_office_3:
260 # Microsoft 365 Common and Office Online
261 # "urls": [
262 # "*.compliance.microsoft.com",
263 # "*.protection.office.com",
264 # "*.security.microsoft.com",
265 # "compliance.microsoft.com",
266 # "defender.microsoft.com",
267 # "protection.office.com",
268 # "security.microsoft.com"
269 # ]
270 DestinationIp|cidr:
271 - '13.107.6.192/32'
272 - '13.107.9.192/32'
273 - '52.108.0.0/14'
274 - '2620:1ec:4::192/128'
275 - '2620:1ec:a92::192/128'
276 DestinationPort: 443
277 Protocol: 'tcp'
278 condition: selection and not 1 of filter_main_*
279falsepositives:
280 - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
281 - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
282 - It is highly recommended to baseline your activity and tune out common business use cases.
283level: medium
References
Related rules
- Antivirus Exploitation Framework Detection
- Audit CVE Event
- CVE-2021-26858 Exchange Exploitation
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- Download From Suspicious TLD - Blacklist