Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
Sigma rule (View on GitHub)
1title: Office Application Initiated Network Connection Over Uncommon Ports
2id: 3b5ba899-9842-4bc2-acc2-12308498bf42
3status: experimental
4description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior (Nextron Systems)
8date: 2023/07/12
9modified: 2024/01/31
10tags:
11 - attack.defense_evasion
12 - attack.command_and_control
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Initiated: 'true'
19 Image|endswith:
20 - '\excel.exe'
21 - '\outlook.exe'
22 - '\powerpnt.exe'
23 - '\winword.exe'
24 - '\wordview.exe'
25 filter_main_common_ports:
26 DestinationPort:
27 - 53 # DNS
28 - 80 # HTTP
29 - 139 # NETBIOS
30 - 443 # HTTPS
31 - 445 # SMB
32 filter_main_outlook_ports:
33 Image|contains: ':\Program Files\Microsoft Office\'
34 Image|endswith: '\OUTLOOK.EXE'
35 DestinationPort:
36 - 465 # SMTP
37 - 587 # SMTP
38 - 993 # IMAP
39 - 995 # POP3
40 condition: selection and not 1 of filter_main_*
41falsepositives:
42 - Other ports can be used, apply additional filters accordingly
43level: medium
References
Related rules
- Network Connection Initiated Via Notepad.EXE
- Suspicious Wordpad Outbound Connections
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- OilRig APT Schedule Task Persistence - System
- Bitsadmin to Uncommon IP Server Address