it is highly recommended to baseline your activity and tune out common business use cases.

t1203
windows
sigma

Techniques

t1203

Sample rules

Office Application Initiated Network Connection To Non-Local IP

source: sigma
technicques:
- t1203

Description

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
  DestinationIp|cidr:
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
filter_main_msrange:
  DestinationIp|cidr:
  - 20.184.0.0/13
  - 20.192.0.0/10
  - 23.72.0.0/13
  - 51.10.0.0/15
  - 51.103.0.0/16
  - 51.104.0.0/15
  - 204.79.197.0/24
selection:
  Image|endswith:
  - \excel.exe
  - \powerpnt.exe
  - \winword.exe
  - \wordview.exe
  Initiated: 'true'