Detection rules › Sigma

Office Application Initiated Network Connection Over Uncommon Ports

Status
test
Severity
medium
Author
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

Event coverage

ProviderEventTitle
SysmonEvent ID 3Network connection

Rule body yaml

title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
    - attack.command-and-control
    - attack.stealth
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\excel.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wordview.exe'
    filter_main_common_ports:
        DestinationPort:
            - 53 # DNS
            - 80 # HTTP
            - 139 # NETBIOS
            - 389 # LDAP
            - 443 # HTTPS
            - 445 # SMB
            - 3268 # MSFT-GC
    filter_main_outlook_ports:
        Image|contains: ':\Program Files\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
        DestinationPort:
            - 143
            - 465 # SMTP
            - 587 # SMTP
            - 993 # IMAP
            - 995 # POP3
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Other ports can be used, apply additional filters accordingly
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    Initiated: 'true'
    Image|endswith:
        - '\excel.exe'
        - '\outlook.exe'
        - '\powerpnt.exe'
        - '\winword.exe'
        - '\wordview.exe'

Stage 2: not filter_main_*

filter_main_common_ports:
    DestinationPort:
        - 53 # DNS
        - 80 # HTTP
        - 139 # NETBIOS
        - 389 # LDAP
        - 443 # HTTPS
        - 445 # SMB
        - 3268 # MSFT-GC
filter_main_outlook_ports:
    Image|contains: ':\Program Files\Microsoft Office\'
    Image|endswith: '\OUTLOOK.EXE'
    DestinationPort:
        - 143
        - 465 # SMTP
        - 587 # SMTP
        - 993 # IMAP
        - 995 # POP3

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2DestinationPorteq143
2DestinationPorteq465
2DestinationPorteq587
2DestinationPorteq993
2DestinationPorteq995
2Imageends_with\OUTLOOK.EXE
2Imagematch:\Program Files\Microsoft Office\
2DestinationPorteq139
2DestinationPorteq3268
2DestinationPorteq389
2DestinationPorteq443
2DestinationPorteq445
2DestinationPorteq53
2DestinationPorteq80

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \excel.exe corpus 24 (sigma 24)
  • \outlook.exe corpus 21 (sigma 21)
  • \powerpnt.exe corpus 19 (sigma 19)
  • \winword.exe corpus 27 (sigma 27)
  • \wordview.exe corpus 6 (sigma 6)
Initiatedeq
  • true corpus 48 (sigma 48)