Skip to content

Hide Navigation Hide TOC

Office Application Initiated Network Connection To Non-Local IP (75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84)

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Cluster A Galaxy A Cluster B Galaxy B Level
Office Application Initiated Network Connection To Non-Local IP (75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84) Sigma-Rules Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 1