Think you have a false positive on this rule?

Sid 1-46185

Message

FILE-OFFICE Microsoft Office Excel remote code execution attempt

Summary

This event is generated when remote code execution is attempted in MS Excel by using UAF vulnerability

Impact

Attempted User Privilege Gain

Detailed information

A use-after-free vulnerability exists when MS excel moves the content from Protected Mode to Compatibility Mode. If attacker can control the freed objects during transition; it could lead to remote code execution

Affected systems

  • MS Office 2013

Ease of attack

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1026