Think you have a false positive on this rule?

Sid 1-42231

Message

FILE-OFFICE RTF url moniker COM file download attempt

Summary

This event is generated when RTF url moniker COM file had attempted to be downloaded

Impact

Attempted Administrator Privilege Gain

CVE-2017-0199:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Affected systems

  • microsoft office 2007
  • microsoft office 2010
  • microsoft office 2013
  • microsoft office 2016
  • microsoft windows_7 *
  • microsoft windowsserver2008 *
  • microsoft windowsserver2008 r2
  • microsoft windowsserver2012 -
  • microsoft windows_vista *

Ease of attack

CVE-2017-0199:

Access Vector

Access Complexity

Authentication

False positives

None Known

False negatives

None Known

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References