Office Application Initiated Network Connection To Non-Local IP

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Sigma rule (View on GitHub)

 1title: Office Application Initiated Network Connection To Non-Local IP
 2id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
 3status: test
 4description: |
 5    Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.
 6    This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
 7    This rule will require an initial baseline and tuning that is specific to your organization.    
 8references:
 9    - https://corelight.com/blog/detecting-cve-2021-42292
10author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
11date: 2021/11/10
12modified: 2024/01/31
13tags:
14    - attack.execution
15    - attack.t1203
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        Image|endswith:
22            - '\excel.exe'
23            - '\powerpnt.exe'
24            - '\winword.exe'
25            - '\wordview.exe'
26        Initiated: 'true'
27    filter_main_ipv4:
28        DestinationIp|startswith:
29            - '10.'
30            - '192.168.'
31            - '172.16.'
32            - '172.17.'
33            - '172.18.'
34            - '172.19.'
35            - '172.20.'
36            - '172.21.'
37            - '172.22.'
38            - '172.23.'
39            - '172.24.'
40            - '172.25.'
41            - '172.26.'
42            - '172.27.'
43            - '172.28.'
44            - '172.29.'
45            - '172.30.'
46            - '172.31.'
47            - '127.0.0.1'
48    filter_main_ipv6:
49        DestinationIp|startswith:
50            - '::1'  # IPv6 loopback variant
51            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
52            - 'fe80:'  # link-local address
53            - 'fc'  # private address range fc00::/7
54            - 'fd'  # private address range fc00::/7
55    filter_main_msrange:
56        DestinationIp|startswith:
57            - '20.184.'
58            - '20.185.'
59            - '20.186.'
60            - '20.187.'
61            - '20.188.'
62            - '20.189.'
63            - '20.190.'
64            - '20.191.'
65            - '20.223.'
66            - '23.79.'
67            - '51.10.'
68            - '51.103.'
69            - '51.104.'
70            - '51.105.'
71            - '52.239.'
72            - '204.79.197'
73    condition: selection and not 1 of filter_main_*
74falsepositives:
75    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
76    - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
77    - It is highly recommended to baseline your activity and tune out common business use cases.
78level: medium

References

Related rules

to-top