← Back to SOC feed Coverage →

Office Application Initiated Network Connection Over Uncommon Ports

sigma MEDIUM SigmaHQ
imNetworkSession
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

Detection Rule

Sigma (Original)

title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
    - attack.command-and-control
    - attack.stealth
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\excel.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wordview.exe'
    filter_main_common_ports:
        DestinationPort:
            - 53 # DNS
            - 80 # HTTP
            - 139 # NETBIOS
            - 389 # LDAP
            - 443 # HTTPS
            - 445 # SMB
            - 3268 # MSFT-GC
    filter_main_outlook_ports:
        Image|contains: ':\Program Files\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
        DestinationPort:
            - 143
            - 465 # SMTP
            - 587 # SMTP
            - 993 # IMAP
            - 995 # POP3
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Other ports can be used, apply additional filters accordingly
level: medium

KQL (Azure Sentinel)

imNetworkSession
| where (NetworkDirection =~ "true" and ((SrcProcessName endswith "\\excel.exe" or SrcProcessName endswith "\\outlook.exe" or SrcProcessName endswith "\\powerpnt.exe" or SrcProcessName endswith "\\winword.exe" or SrcProcessName endswith "\\wordview.exe") or (DstProcessName endswith "\\excel.exe" or DstProcessName endswith "\\outlook.exe" or DstProcessName endswith "\\powerpnt.exe" or DstProcessName endswith "\\winword.exe" or DstProcessName endswith "\\wordview.exe"))) and (not(((DstPortNumber in~ ("53", "80", "139", "389", "443", "445", "3268")) or ((SrcProcessName contains ":\\Program Files\\Microsoft Office\\" or DstProcessName contains ":\\Program Files\\Microsoft Office\\") and (SrcProcessName endswith "\\OUTLOOK.EXE" or DstProcessName endswith "\\OUTLOOK.EXE") and (DstPortNumber in~ ("143", "465", "587", "993", "995"))))))

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml