Skip to main content

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

MS Office & Acrobat Reader Monitoring

The ESA Threat Detection rules for monitoring Microsoft Office and Adobe Acrobat Reader are vast limits vendor rules.

Microsoft Office Rules

The rules in this section detect suspicious behavior with MS Office applications.

  • Detect macro execution with the default Office security configuration applied (“disable all macros with notification”)
  • Detect child processes of Microsoft Office applications (dedicated rules for scripts and other types of child processes)
  • Detect Microsoft Office download operations
  • Detect Microsoft Office applications executing macros that access WMI to create child processes
  • Suspicious DLL load by Office
  • Detect loading of MAPI DLLs from processes other than Outlook

Adobe Acrobat Reader Rules

The rules in this section detect suspicious behavior with Adobe Acrobat Reader.

  • Detect child processes of Adobe Reader

Comments

Your email address will not be published. Required fields are marked *