Skip to content
Threat Feed
medium advisory

Adobe RdrCEF.exe Hijack for Persistence

Attackers can maintain persistence by replacing the legitimate RdrCEF.exe executable with a malicious one, which is executed every time Adobe Acrobat Reader is launched.

This detection identifies a persistence technique where attackers replace Adobe Acrobat Reader’s RdrCEF.exe with a malicious executable. This allows the attacker to gain persistence, as their malicious file will be executed every time the user launches Adobe Acrobat Reader DC. The rule focuses on detecting the file creation event of a file named RdrCEF.exe in the Adobe Acrobat Reader directory. The targeted versions are those using the RdrCEF.exe file located within the AcroCEF subdirectory. The purpose of this technique is to maintain unauthorized access to a compromised system. This technique was publicly discussed on Twitter as early as 2018.

Attack Chain

  1. Initial access is gained through an existing compromise or vulnerability.
  2. The attacker locates the RdrCEF.exe file within the Adobe Acrobat Reader installation directory (e.g., C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\).
  3. The legitimate RdrCEF.exe file is either deleted or renamed.
  4. A malicious executable is created or copied and renamed to RdrCEF.exe in the same directory.
  5. The system is used as normal, and whenever Adobe Acrobat Reader DC is launched, the malicious RdrCEF.exe is executed.
  6. The malicious executable performs its intended actions, such as establishing a reverse shell, injecting code into other processes, or exfiltrating data.
  7. The attacker maintains persistent access to the compromised system.

Impact

A successful attack allows the attacker to maintain persistent access to the compromised system. The attacker can then perform various malicious activities, such as stealing sensitive data, installing additional malware, or using the system as a foothold for lateral movement within the network. The compromise affects any user who launches Adobe Acrobat Reader on the infected machine.

Recommendation

  • Enable Sysmon file creation logging (Event ID 11) to detect the creation of RdrCEF.exe in the specified Adobe Acrobat Reader directories to enable the rule “Deprecated - Adobe Hijack Persistence” (Data Source: Sysmon).
  • Deploy the Sigma rule “Detect Adobe RdrCEF.exe File Creation” to your SIEM and tune for your environment.
  • Investigate any alerts generated by the provided Sigma rule, focusing on identifying the origin and purpose of the created RdrCEF.exe file.
  • Monitor for unusual process execution originating from the RdrCEF.exe file location.

Detection coverage 2

Detect Adobe RdrCEF.exe File Creation

medium

Detects the creation of RdrCEF.exe in the Adobe Acrobat Reader directory, indicating a potential hijack for persistence.

sigma tactics: persistence techniques: T1574 sources: file_event, windows

Detect Suspicious Process Launch from RdrCEF.exe Location

medium

Detects processes being launched from the RdrCEF.exe location, which can indicate a hijacked executable.

sigma tactics: execution, persistence techniques: T1574 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →