Adobe Hijack Persistence
editAdobe Hijack Persistence
editDetects writing executable files that will be automatically launched by Adobe Acrobat Reader on launch.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 10
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis ### Investigating Adobe Hijack Persistence Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed. #### Possible investigation steps - Investigate the process execution chain (parent process tree). - Identify the user account that performed the action. - Investigate other alerts associated with the user/host during the past 48 hours. - Check for similar behavior in other hosts on the environment. - Retrieve the file and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - Scheduled tasks creation. - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis - This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. ### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Isolate the involved host to prevent further post-compromise behavior. - If the triage identified malware, search the environment for additional compromised hosts. - Implement any temporary network rules, procedures, and segmentation required to contain the malware. - Immediately block the IoCs identified. - Remove and block malicious artifacts identified on the triage. - Disable the involved accounts, or restrict their ability to log on remotely. - Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). ## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
Rule query
editfile where event.type == "creation" and file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and not process.name : "msiexec.exe"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
-
Sub-technique:
- Name: Services File Permissions Weakness
- ID: T1574.010
- Reference URL: https://attack.mitre.org/techniques/T1574/010/