Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Sigma rule (View on GitHub)
1title: Office Application Initiated Network Connection To Non-Local IP
2id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
3status: test
4description: |
5 Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
6 This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
7 This rule will require an initial baseline and tuning that is specific to your organization.
8references:
9 - https://corelight.com/blog/detecting-cve-2021-42292
10author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
11date: 2021/11/10
12modified: 2024/03/13
13tags:
14 - attack.execution
15 - attack.t1203
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 Image|endswith:
22 - '\excel.exe'
23 - '\powerpnt.exe'
24 - '\winword.exe'
25 - '\wordview.exe'
26 Initiated: 'true'
27 filter_main_local_ranges:
28 DestinationIp|cidr:
29 - '127.0.0.0/8'
30 - '10.0.0.0/8'
31 - '172.16.0.0/12'
32 - '192.168.0.0/16'
33 - '169.254.0.0/16'
34 - '::1/128' # IPv6 loopback
35 - 'fe80::/10' # IPv6 link-local addresses
36 - 'fc00::/7' # IPv6 private addresses
37 filter_main_msrange:
38 DestinationIp|cidr:
39 - '20.184.0.0/13' # Microsoft Corporation
40 - '20.192.0.0/10' # Microsoft Corporation
41 - '23.72.0.0/13' # Akamai International B.V.
42 - '51.10.0.0/15' # Microsoft Corporation
43 - '51.103.0.0/16' # Microsoft Corporation
44 - '51.104.0.0/15' # Microsoft Corporation
45 - '204.79.197.0/24' # Microsoft Corporation
46 condition: selection and not 1 of filter_main_*
47falsepositives:
48 - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
49 - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
50 - It is highly recommended to baseline your activity and tune out common business use cases.
51level: medium
References
Related rules
- Equation Editor Network Connection
- Suspicious Browser Child Process - MacOS
- Download From Suspicious TLD - Whitelist
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- CVE-2021-26858 Exchange Exploitation