Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
Sigma rule (View on GitHub)
1title: Office Application Initiated Network Connection Over Uncommon Ports
2id: 3b5ba899-9842-4bc2-acc2-12308498bf42
3status: experimental
4description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior (Nextron Systems)
8date: 2023/07/12
9modified: 2024/01/31
10tags:
11 - attack.defense_evasion
12 - attack.command_and_control
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Initiated: 'true'
19 Image|endswith:
20 - '\excel.exe'
21 - '\outlook.exe'
22 - '\powerpnt.exe'
23 - '\winword.exe'
24 - '\wordview.exe'
25 filter_main_common_ports:
26 DestinationPort:
27 - 53 # DNS
28 - 80 # HTTP
29 - 139 # NETBIOS
30 - 443 # HTTPS
31 - 445 # SMB
32 filter_main_outlook_ports:
33 Image|contains: ':\Program Files\Microsoft Office\'
34 Image|endswith: '\OUTLOOK.EXE'
35 DestinationPort:
36 - 465 # SMTP
37 - 587 # SMTP
38 - 993 # IMAP
39 - 995 # POP3
40 condition: selection and not 1 of filter_main_*
41falsepositives:
42 - Other ports can be used, apply additional filters accordingly
43level: medium
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Network Connection Initiated Via Notepad.EXE
- Suspicious Wordpad Outbound Connections
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- OilRig APT Schedule Task Persistence - System
- Bitsadmin to Uncommon IP Server Address