Office Application Initiated Network Connection Over Uncommon Ports

 1title: Office Application Initiated Network Connection Over Uncommon Ports
 2id: 3b5ba899-9842-4bc2-acc2-12308498bf42
 3status: test
 4description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-07-12
 9modified: 2025-10-17
10tags:
11    - attack.defense-evasion
12    - attack.command-and-control
13logsource:
14    category: network_connection
15    product: windows
16detection:
17    selection:
18        Initiated: 'true'
19        Image|endswith:
20            - '\excel.exe'
21            - '\outlook.exe'
22            - '\powerpnt.exe'
23            - '\winword.exe'
24            - '\wordview.exe'
25    filter_main_common_ports:
26        DestinationPort:
27            - 53 # DNS
28            - 80 # HTTP
29            - 139 # NETBIOS
30            - 389 # LDAP
31            - 443 # HTTPS
32            - 445 # SMB
33            - 3268 # MSFT-GC
34    filter_main_outlook_ports:
35        Image|contains: ':\Program Files\Microsoft Office\'
36        Image|endswith: '\OUTLOOK.EXE'
37        DestinationPort:
38            - 143
39            - 465 # SMTP
40            - 587 # SMTP
41            - 993 # IMAP
42            - 995 # POP3
43    condition: selection and not 1 of filter_main_*
44falsepositives:
45    - Other ports can be used, apply additional filters accordingly
46level: medium