EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Office Application Initiated Network Connection Over Uncommon Ports

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

Detection Query

selection:
  Initiated: "true"
  Image|endswith:
    - \excel.exe
    - \outlook.exe
    - \powerpnt.exe
    - \winword.exe
    - \wordview.exe
filter_main_common_ports:
  DestinationPort:
    - 53
    - 80
    - 139
    - 389
    - 443
    - 445
    - 3268
filter_main_outlook_ports:
  Image|contains: :\Program Files\Microsoft Office\
  Image|endswith: \OUTLOOK.EXE
  DestinationPort:
    - 143
    - 465
    - 587
    - 993
    - 995
condition: selection and not 1 of filter_main_*

Author

X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2023-07-12

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

Tags

attack.defense-evasionattack.command-and-control
Raw Content
title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
    - attack.defense-evasion
    - attack.command-and-control
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\excel.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wordview.exe'
    filter_main_common_ports:
        DestinationPort:
            - 53 # DNS
            - 80 # HTTP
            - 139 # NETBIOS
            - 389 # LDAP
            - 443 # HTTPS
            - 445 # SMB
            - 3268 # MSFT-GC
    filter_main_outlook_ports:
        Image|contains: ':\Program Files\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
        DestinationPort:
            - 143
            - 465 # SMTP
            - 587 # SMTP
            - 993 # IMAP
            - 995 # POP3
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Other ports can be used, apply additional filters accordingly
level: medium