you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.

t1203
windows
sigma

Techniques

t1203

Sample rules

Office Application Initiated Network Connection To Non-Local IP

source: sigma
technicques:
- t1203

Description

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
  DestinationIp|cidr:
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
filter_main_msrange:
  DestinationIp|cidr:
  - 20.184.0.0/13
  - 20.192.0.0/10
  - 23.72.0.0/13
  - 51.10.0.0/15
  - 51.103.0.0/16
  - 51.104.0.0/15
  - 204.79.197.0/24
selection:
  Image|endswith:
  - \excel.exe
  - \powerpnt.exe
  - \winword.exe
  - \wordview.exe
  Initiated: 'true'