title: Excel Network Connections
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0"
date: 2021/11/10
description: Detects an Excel process that opens suspicious network connections to
    non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely
    have to tune this rule for your organization, but it is certainly something you
    should look for and could have applications for malicious activity beyond CVE-2021-42292.
detection:
    SELECTION_1:
        EventID: 3
    SELECTION_10:
        DestinationIp: 172.19.*
    SELECTION_11:
        DestinationIp: 172.20.*
    SELECTION_12:
        DestinationIp: 172.21.*
    SELECTION_13:
        DestinationIp: 172.22.*
    SELECTION_14:
        DestinationIp: 172.23.*
    SELECTION_15:
        DestinationIp: 172.24.*
    SELECTION_16:
        DestinationIp: 172.25.*
    SELECTION_17:
        DestinationIp: 172.26.*
    SELECTION_18:
        DestinationIp: 172.27.*
    SELECTION_19:
        DestinationIp: 172.28.*
    SELECTION_2:
        Image: '*\excel.exe'
    SELECTION_20:
        DestinationIp: 172.29.*
    SELECTION_21:
        DestinationIp: 172.30.*
    SELECTION_22:
        DestinationIp: 172.31.*
    SELECTION_23:
        DestinationIp: 127.0.0.1*
    SELECTION_24:
        DestinationIsIpv6: 'false'
    SELECTION_3:
        Initiated: 'true'
    SELECTION_4:
        DestinationIsIpv6: 'false'
    SELECTION_5:
        DestinationIp: 10.*
    SELECTION_6:
        DestinationIp: 192.168.*
    SELECTION_7:
        DestinationIp: 172.16.*
    SELECTION_8:
        DestinationIp: 172.17.*
    SELECTION_9:
        DestinationIp: 172.18.*
    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24))
falsepositives:
- You may have to tune certain domains out that Excel may call out to, such as microsoft
    or other business use case domains.
- Office documents commonly have templates that refer to external addresses, like
    sharepoint.ourcompany.com may have to be tuned.
- It is highly recomended to baseline your activity and tune out common business use
    cases.
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
level: medium
logsource:
    category: network_connection
    product: windows
references:
- https://corelight.com/blog/detecting-cve-2021-42292
status: experimental
tags:
- attack.execution
- attack.t1203
yml_filename: sysmon_excel_outbound_network_connection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection