LoFP LoFP / it is highly recommended to baseline your activity and tune out common business use cases.

Techniques

Sample rules

Office Application Initiated Network Connection To Non-Local IP

Description

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
  DestinationIp|cidr:
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
filter_main_msrange_exchange_1:
  DestinationIp|cidr:
  - 13.107.6.152/31
  - 13.107.18.10/31
  - 13.107.128.0/22
  - 23.103.160.0/20
  - 40.96.0.0/13
  - 40.104.0.0/15
  - 52.96.0.0/14
  - 131.253.33.215/32
  - 132.245.0.0/16
  - 150.171.32.0/22
  - 204.79.197.215/32
  - 2603:1006::/40
  - 2603:1016::/36
  - 2603:1026::/36
  - 2603:1036::/36
  - 2603:1046::/36
  - 2603:1056::/36
  - 2620:1ec:4::152/128
  - 2620:1ec:4::153/128
  - 2620:1ec:c::10/128
  - 2620:1ec:c::11/128
  - 2620:1ec:d::10/128
  - 2620:1ec:d::11/128
  - 2620:1ec:8f0::/46
  - 2620:1ec:900::/46
  - 2620:1ec:a92::152/128
  - 2620:1ec:a92::153/128
  DestinationPort:
  - 80
  - 443
filter_main_msrange_exchange_2:
  DestinationIp|cidr:
  - 13.107.6.152/31
  - 13.107.18.10/31
  - 13.107.128.0/22
  - 23.103.160.0/20
  - 40.96.0.0/13
  - 40.104.0.0/15
  - 52.96.0.0/14
  - 131.253.33.215/32
  - 132.245.0.0/16
  - 150.171.32.0/22
  - 204.79.197.215/32
  - 2603:1006::/40
  - 2603:1016::/36
  - 2603:1026::/36
  - 2603:1036::/36
  - 2603:1046::/36
  - 2603:1056::/36
  - 2620:1ec:4::152/128
  - 2620:1ec:4::153/128
  - 2620:1ec:c::10/128
  - 2620:1ec:c::11/128
  - 2620:1ec:d::10/128
  - 2620:1ec:d::11/128
  - 2620:1ec:8f0::/46
  - 2620:1ec:900::/46
  - 2620:1ec:a92::152/128
  - 2620:1ec:a92::153/128
  DestinationPort:
  - 143
  - 587
  - 993
  - 995
  Protocol: tcp
filter_main_msrange_exchange_3:
  DestinationIp|cidr:
  - 40.92.0.0/15
  - 40.107.0.0/16
  - 52.100.0.0/14
  - 52.238.78.88/32
  - 104.47.0.0/17
  - 2a01:111:f400::/48
  - 2a01:111:f403::/48
  DestinationPort: 443
filter_main_msrange_exchange_4:
  DestinationIp|cidr:
  - 40.92.0.0/15
  - 40.107.0.0/16
  - 52.100.0.0/14
  - 52.238.78.88/32
  - 104.47.0.0/17
  - 2a01:111:f400::/48
  - 2a01:111:f403::/48
  DestinationPort: 25
filter_main_msrange_generic:
  DestinationIp|cidr:
  - 20.184.0.0/13
  - 20.192.0.0/10
  - 23.72.0.0/13
  - 40.76.0.0/14
  - 51.10.0.0/15
  - 51.103.0.0/16
  - 51.104.0.0/15
  - 51.142.136.0/22
  - 52.160.0.0/11
  - 204.79.197.0/24
filter_main_msrange_office_1:
  DestinationIp|cidr:
  - 13.107.6.171/32
  - 13.107.18.15/32
  - 13.107.140.6/32
  - 52.108.0.0/14
  - 52.244.37.168/32
  - 2603:1006:1400::/40
  - 2603:1016:2400::/40
  - 2603:1026:2400::/40
  - 2603:1036:2400::/40
  - 2603:1046:1400::/40
  - 2603:1056:1400::/40
  - 2603:1063:2000::/38
  - 2620:1ec:c::15/128
  - 2620:1ec:8fc::6/128
  - 2620:1ec:a92::171/128
  - 2a01:111:f100:2000::a83e:3019/128
  - 2a01:111:f100:2002::8975:2d79/128
  - 2a01:111:f100:2002::8975:2da8/128
  - 2a01:111:f100:7000::6fdd:6cd5/128
  - 2a01:111:f100:a004::bfeb:88cf/128
  DestinationPort:
  - 80
  - 443
  Protocol: tcp
filter_main_msrange_office_2:
  DestinationIp|cidr:
  - 20.20.32.0/19
  - 20.190.128.0/18
  - 20.231.128.0/19
  - 40.126.0.0/18
  - 2603:1006:2000::/48
  - 2603:1007:200::/48
  - 2603:1016:1400::/48
  - 2603:1017::/48
  - 2603:1026:3000::/48
  - 2603:1027:1::/48
  - 2603:1036:3000::/48
  - 2603:1037:1::/48
  - 2603:1046:2000::/48
  - 2603:1047:1::/48
  - 2603:1056:2000::/48
  - 2603:1057:2::/48
  DestinationPort:
  - 80
  - 443
  Protocol: tcp
filter_main_msrange_office_3:
  DestinationIp|cidr:
  - 13.107.6.192/32
  - 13.107.9.192/32
  - 52.108.0.0/14
  - 2620:1ec:4::192/128
  - 2620:1ec:a92::192/128
  DestinationPort: 443
  Protocol: tcp
filter_main_msrange_sharepoint_1:
  DestinationIp|cidr:
  - 13.107.136.0/22
  - 40.108.128.0/17
  - 52.104.0.0/14
  - 104.146.128.0/17
  - 150.171.40.0/22
  - 2603:1061:1300::/40
  - 2620:1ec:8f8::/46
  - 2620:1ec:908::/46
  - 2a01:111:f402::/48
  DestinationPort:
  - 80
  - 443
  Protocol: tcp
selection:
  Image|endswith:
  - \excel.exe
  - \outlook.exe
  - \powerpnt.exe
  - \winword.exe
  - \wordview.exe
  Initiated: 'true'