Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
Sigma rule (View on GitHub)
1title: Office Application Initiated Network Connection Over Uncommon Ports
2id: 3b5ba899-9842-4bc2-acc2-12308498bf42
3status: experimental
4description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2023-07-12
9modified: 2024-07-02
10tags:
11 - attack.defense-evasion
12 - attack.command-and-control
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Initiated: 'true'
19 Image|endswith:
20 - '\excel.exe'
21 - '\outlook.exe'
22 - '\powerpnt.exe'
23 - '\winword.exe'
24 - '\wordview.exe'
25 filter_main_common_ports:
26 DestinationPort:
27 - 53 # DNS
28 - 80 # HTTP
29 - 139 # NETBIOS
30 - 443 # HTTPS
31 - 445 # SMB
32 filter_main_outlook_ports:
33 Image|contains: ':\Program Files\Microsoft Office\'
34 Image|endswith: '\OUTLOOK.EXE'
35 DestinationPort:
36 - 143
37 - 465 # SMTP
38 - 587 # SMTP
39 - 993 # IMAP
40 - 995 # POP3
41 condition: selection and not 1 of filter_main_*
42falsepositives:
43 - Other ports can be used, apply additional filters accordingly
44level: medium
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- Curl Download And Execute Combination
- Download from Suspicious Dyndns Hosts