Think you have a false positive on this rule?

Sid 1-45402


FILE-OFFICE Microsoft Word memory corruption exploit attempt


This event is generated when an attacker attempts to exploit a memory corruption vulnerability in Microsoft Word.


Potential user access to the victim's machine


CVSS base score

CVSS impact score

CVSS exploitability score

Confidentiality Impact

Integrity Impact

Availability Impact

Detailed information

Rule checks for a memory corruption exploit used against Microsoft Word. CVE-2018-0797: Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way RTF content is handled, aka "Microsoft Word Memory Corruption Vulnerability".

Affected systems

Ease of attack


False positives

Not known

False negatives

Not known

Corrective action

Implement all patches referenced here:


  • Cisco's Talos Intelligence Group

Additional References