Office

CVE-2026-42832 is an improper access control vulnerability in Microsoft Office that allows an unauthorized attacker to perform local spoofing.

CVE-2026-42831 is a heap-based buffer overflow vulnerability in Microsoft Office, allowing a local attacker to execute arbitrary code with a CVSS score of 7.8.

CVE-2026-40419 is a use-after-free vulnerability in Microsoft Office that allows an authenticated, local attacker to elevate privileges.

A heap-based buffer overflow vulnerability in Microsoft Office allows an unauthenticated, local attacker to execute arbitrary code.

CVE-2026-40358 describes a use-after-free vulnerability in Microsoft Office that could allow an unauthorized local attacker to execute code with elevated privileges.

The rule identifies suspicious process creation where a process is created and immediately accessed from an unknown memory code region by the same parent process, indicating a potential code injection attempt, specifically process hollowing, commonly targeting processes spawned by Microsoft Office applications, scripting engines, and command-line tools for defense evasion.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.

This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.