Techniques
Sample rules
Office Application Initiated Network Connection To Non-Local IP
- source: sigma
- technicques:
- t1203
Description
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_main_msrange:
DestinationIp|cidr:
- 20.184.0.0/13
- 20.192.0.0/10
- 23.72.0.0/13
- 51.10.0.0/15
- 51.103.0.0/16
- 51.104.0.0/15
- 204.79.197.0/24
selection:
Image|endswith:
- \excel.exe
- \powerpnt.exe
- \winword.exe
- \wordview.exe
Initiated: 'true'