Office Application Initiated Network Connection To Non-Local IP

calendar Mar 13, 2024 · attack.execution attack.t1203  ·
Share on: linkedin copy

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Sigma rule (View on GitHub)

 1title: Office Application Initiated Network Connection To Non-Local IP
 2id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
 3status: test
 4description: |
 5    Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.
 6    This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
 7    This rule will require an initial baseline and tuning that is specific to your organization.    
 8references:
 9    - https://corelight.com/blog/detecting-cve-2021-42292
10author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
11date: 2021/11/10
12modified: 2024/03/13
13tags:
14    - attack.execution
15    - attack.t1203
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        Image|endswith:
22            - '\excel.exe'
23            - '\powerpnt.exe'
24            - '\winword.exe'
25            - '\wordview.exe'
26        Initiated: 'true'
27    filter_main_local_ranges:
28        DestinationIp|cidr:
29            - '127.0.0.0/8'
30            - '10.0.0.0/8'
31            - '172.16.0.0/12'
32            - '192.168.0.0/16'
33            - '169.254.0.0/16'
34            - '::1/128'  # IPv6 loopback
35            - 'fe80::/10'  # IPv6 link-local addresses
36            - 'fc00::/7'  # IPv6 private addresses
37    filter_main_msrange:
38        DestinationIp|cidr:
39            - '20.184.0.0/13' # Microsoft Corporation
40            - '20.192.0.0/10' # Microsoft Corporation
41            - '23.72.0.0/13'  # Akamai International B.V.
42            - '51.10.0.0/15'  # Microsoft Corporation
43            - '51.103.0.0/16' # Microsoft Corporation
44            - '51.104.0.0/15' # Microsoft Corporation
45            - '204.79.197.0/24' # Microsoft Corporation
46    condition: selection and not 1 of filter_main_*
47falsepositives:
48    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
49    - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
50    - It is highly recommended to baseline your activity and tune out common business use cases.
51level: medium

References

Related rules

to-top