{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/acrobat-reader-dc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Acrobat Reader DC"],"_cs_severities":["medium"],"_cs_tags":["persistence","adobe","file_creation","hijack_execution_flow"],"_cs_type":"advisory","_cs_vendors":["Adobe"],"content_html":"\u003cp\u003eThis detection identifies a persistence technique where attackers replace Adobe Acrobat Reader\u0026rsquo;s \u003ccode\u003eRdrCEF.exe\u003c/code\u003e with a malicious executable. This allows the attacker to gain persistence, as their malicious file will be executed every time the user launches Adobe Acrobat Reader DC. The rule focuses on detecting the file creation event of a file named \u003ccode\u003eRdrCEF.exe\u003c/code\u003e in the Adobe Acrobat Reader directory. The targeted versions are those using the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file located within the \u003ccode\u003eAcroCEF\u003c/code\u003e subdirectory. The purpose of this technique is to maintain unauthorized access to a compromised system. This technique was publicly discussed on Twitter as early as 2018.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an existing compromise or vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file within the Adobe Acrobat Reader installation directory (e.g., \u003ccode\u003eC:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe legitimate \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file is either deleted or renamed.\u003c/li\u003e\n\u003cli\u003eA malicious executable is created or copied and renamed to \u003ccode\u003eRdrCEF.exe\u003c/code\u003e in the same directory.\u003c/li\u003e\n\u003cli\u003eThe system is used as normal, and whenever Adobe Acrobat Reader DC is launched, the malicious \u003ccode\u003eRdrCEF.exe\u003c/code\u003e is executed.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as establishing a reverse shell, injecting code into other processes, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack allows the attacker to maintain persistent access to the compromised system. The attacker can then perform various malicious activities, such as stealing sensitive data, installing additional malware, or using the system as a foothold for lateral movement within the network. The compromise affects any user who launches Adobe Acrobat Reader on the infected machine.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to detect the creation of \u003ccode\u003eRdrCEF.exe\u003c/code\u003e in the specified Adobe Acrobat Reader directories to enable the rule \u0026ldquo;Deprecated - Adobe Hijack Persistence\u0026rdquo; (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Adobe RdrCEF.exe File Creation\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule, focusing on identifying the origin and purpose of the created \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process execution originating from the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file location.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-adobe-hijack-persistence/","summary":"Attackers can maintain persistence by replacing the legitimate RdrCEF.exe executable with a malicious one, which is executed every time Adobe Acrobat Reader is launched.","title":"Adobe RdrCEF.exe Hijack for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-adobe-hijack-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Acrobat Reader DC","version":"https://jsonfeed.org/version/1.1"}