83 lines
2.8 KiB
YAML
83 lines
2.8 KiB
YAML
title: Excel Network Connections
|
|
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0"
|
|
date: 2021/11/10
|
|
description: Detects an Excel process that opens suspicious network connections to
|
|
non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely
|
|
have to tune this rule for your organization, but it is certainly something you
|
|
should look for and could have applications for malicious activity beyond CVE-2021-42292.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 3
|
|
SELECTION_10:
|
|
DestinationIp: 172.19.*
|
|
SELECTION_11:
|
|
DestinationIp: 172.20.*
|
|
SELECTION_12:
|
|
DestinationIp: 172.21.*
|
|
SELECTION_13:
|
|
DestinationIp: 172.22.*
|
|
SELECTION_14:
|
|
DestinationIp: 172.23.*
|
|
SELECTION_15:
|
|
DestinationIp: 172.24.*
|
|
SELECTION_16:
|
|
DestinationIp: 172.25.*
|
|
SELECTION_17:
|
|
DestinationIp: 172.26.*
|
|
SELECTION_18:
|
|
DestinationIp: 172.27.*
|
|
SELECTION_19:
|
|
DestinationIp: 172.28.*
|
|
SELECTION_2:
|
|
Image: '*\excel.exe'
|
|
SELECTION_20:
|
|
DestinationIp: 172.29.*
|
|
SELECTION_21:
|
|
DestinationIp: 172.30.*
|
|
SELECTION_22:
|
|
DestinationIp: 172.31.*
|
|
SELECTION_23:
|
|
DestinationIp: 127.0.0.1*
|
|
SELECTION_24:
|
|
DestinationIsIpv6: 'false'
|
|
SELECTION_3:
|
|
Initiated: 'true'
|
|
SELECTION_4:
|
|
DestinationIsIpv6: 'false'
|
|
SELECTION_5:
|
|
DestinationIp: 10.*
|
|
SELECTION_6:
|
|
DestinationIp: 192.168.*
|
|
SELECTION_7:
|
|
DestinationIp: 172.16.*
|
|
SELECTION_8:
|
|
DestinationIp: 172.17.*
|
|
SELECTION_9:
|
|
DestinationIp: 172.18.*
|
|
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
|
|
((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
|
|
or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
|
|
or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
|
|
or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24))
|
|
falsepositives:
|
|
- You may have to tune certain domains out that Excel may call out to, such as microsoft
|
|
or other business use case domains.
|
|
- Office documents commonly have templates that refer to external addresses, like
|
|
sharepoint.ourcompany.com may have to be tuned.
|
|
- It is highly recomended to baseline your activity and tune out common business use
|
|
cases.
|
|
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
|
|
level: medium
|
|
logsource:
|
|
category: network_connection
|
|
product: windows
|
|
references:
|
|
- https://corelight.com/blog/detecting-cve-2021-42292
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1203
|
|
yml_filename: sysmon_excel_outbound_network_connection.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
|
|
|