
Summary
This detection rule identifies potentially malicious behavior in Microsoft Office applications (e.g., Word, Excel, PowerPoint) that initiate network connections to non-private IP addresses. Such behavior may indicate exploitation attempts, particularly those analogous to incidents reported in CVE-2021-42292. To implement this rule effectively, an organization must first establish a baseline of expected network activities from the Office applications in question to minimize false positives and refine the rule settings according to specific operational contexts. The rule incorporates multiple filters based on known Microsoft service IP ranges and general non-local address patterns to identify traffic that deviates from expected behaviors. Continuous tuning based on observed legitimate traffic patterns is crucial for maintaining an effective monitoring posture.
Categories
- Endpoint
- Windows
- Network
Data Sources
- Application Log
- Network Traffic
- Process
Created: 2021-11-10