{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/adobe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EdgeWebView","Acrobat DC","AMP","Symantec Endpoint Protection","Malwarebytes Anti-Exploit"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Adobe","Symantec","Malwarebytes"],"content_html":"\u003cp\u003eThis detection identifies suspicious process access events on Windows systems where a process attempts to access another process\u0026rsquo;s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe process attempts to gain access to another process\u0026rsquo;s memory space (Target Process).\u003c/li\u003e\n\u003cli\u003eInstead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCallTrace\u003c/code\u003e in the Sysmon event does not originate from expected system DLLs like \u003ccode\u003entdll.dll\u003c/code\u003e, \u003ccode\u003esysfer.dll\u003c/code\u003e, \u003ccode\u003ewow64cpu.dll\u003c/code\u003e, \u003ccode\u003ewow64win.dll\u003c/code\u003e, or \u003ccode\u003ewin32u.dll\u003c/code\u003e, indicating a direct syscall.\u003c/li\u003e\n\u003cli\u003eThe process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (\u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the \u003ccode\u003eSourceImage\u003c/code\u003e, \u003ccode\u003eTargetImage\u003c/code\u003e, \u003ccode\u003eGrantedAccess\u003c/code\u003e, and \u003ccode\u003eCallTrace\u003c/code\u003e fields in the Sysmon event to determine the legitimacy of the process access attempt.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the target process is \u003ccode\u003elsass.exe\u003c/code\u003e or other security-sensitive processes.\u003c/li\u003e\n\u003cli\u003eImplement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creation events originating from the flagged processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-direct-syscall-process-access/","summary":"Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.","title":"Suspicious Process Access via Direct System Call","url":"https://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Edge","Cisco Spark","Admin By Request","Cloud Signature Update Agent","Vantage","Adobe Reader and Acrobat Manager"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","runkey"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","FastTrack Software","Exclaimer Ltd","Lenovo","Adobe"],"content_html":"\u003cp\u003eAttackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies registry run key locations for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a registry run key (e.g., \u003ccode\u003eHKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u003c/code\u003e) using tools such as \u003ccode\u003ereg.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a malicious executable path to the registry key.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or a user logs in.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched automatically as part of the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious executable establishes a connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like \u003ccode\u003ectfmon.exe\u003c/code\u003e, but tuning is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.\u003c/li\u003e\n\u003cli\u003eEnable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.\u003c/li\u003e\n\u003cli\u003eBlock known malicious executables and domains identified during triage to prevent further infection.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-run-key-registry-modification/","summary":"Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.","title":"Startup or Run Key Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Background Intelligent Transfer Service (BITS)","Adobe Reader","Docker Desktop"],"_cs_severities":["low"],"_cs_tags":["bits","ingress-transfer","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","Docker"],"content_html":"\u003cp\u003eThe Windows Background Intelligent Transfer Service (BITS) is a legitimate Windows service that allows for prioritized, asynchronous, and throttled transfer of files between a client and a server. Adversaries abuse BITS to download malicious payloads while evading typical security protections, as file transfers occur in the context of the \u003ccode\u003esvchost.exe\u003c/code\u003e process. This activity can obscure the origin of the download and bypass application whitelisting rules. This detection focuses on identifying file rename events where \u003ccode\u003esvchost.exe\u003c/code\u003e renames temporary BITS files (BIT*.tmp) to executable or archive file types, indicating a potential malicious download via BITS. This technique is commonly employed to deliver malware, exfiltrate data, or download additional tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.\u003c/li\u003e\n\u003cli\u003eThe BITS job is configured to download a malicious executable or archive from a remote server using the \u003ccode\u003ebitsadmin.exe\u003c/code\u003e utility.\u003c/li\u003e\n\u003cli\u003eBITS downloads the file to a temporary location on the system with a \u003ccode\u003eBIT*.tmp\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esvchost.exe\u003c/code\u003e process renames the temporary file to its final name and extension (e.g., .exe, .zip).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file, initiating further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Ingress Transfer via Windows BITS\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections initiated by \u003ccode\u003esvchost.exe\u003c/code\u003e to identify potentially malicious downloads.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ebitsadmin.exe\u003c/code\u003e being executed, especially with command-line arguments indicative of suspicious downloads.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eMicrosoft-Windows-Bits-Client/Operational\u003c/code\u003e Windows logs (event ID 59) for unusual BITS events.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-bits-ingress-transfer/","summary":"Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.","title":"Ingress Transfer via Windows BITS","url":"https://feed.craftedsignal.io/briefs/2024-01-bits-ingress-transfer/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office","EdgeWebView","Acrobat DC"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe"],"content_html":"\u003cp\u003eThis detection identifies potential process injection attempts, specifically process hollowing, by monitoring process creation events followed by memory access from unknown regions. The rule focuses on processes spawned by Microsoft Office applications (winword.exe, excel.exe, outlook.exe, powerpnt.exe), scripting engines (cscript.exe, wscript.exe, mshta.exe), and command-line tools (cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, wmic.exe, cmstp.exe, msxsl.exe). The logic looks for a spawned process by one of these applications/tools, followed by a process access event for an unknown memory region by the parent process, indicating a potential code injection attempt. Attackers use process injection to hide malicious activity within legitimate processes, evading detection and hindering forensic analysis. This technique is a common tactic used to establish persistence, escalate privileges, or execute malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document or executes a script.\u003c/li\u003e\n\u003cli\u003eThe Microsoft Office application (e.g., winword.exe) or scripting engine (e.g., wscript.exe) starts as a parent process.\u003c/li\u003e\n\u003cli\u003eThe parent process creates a new child process (e.g., a legitimate system executable).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the newly created child process\u0026rsquo;s memory, often overwriting legitimate code sections.\u003c/li\u003e\n\u003cli\u003eThe parent process accesses the child process\u0026rsquo;s memory from an unknown code region, indicating the injected code. Sysmon event ID 10 captures this access.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the child process, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThese actions can include establishing persistence, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to mask their malicious activities within legitimate processes, making detection and attribution significantly harder. This can lead to prolonged infections, data breaches, and system compromise. The impact can range from individual workstation compromise to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role. The rule mitigates risks associated with advanced persistent threats (APTs) and commodity malware using process injection for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 10 (Process Access) to collect the necessary telemetry for this detection (\u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003eSysmon Event ID 1 - Process Creation\u003c/a\u003e, \u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003eSysmon Event ID 10 - Process Access\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Creation CallTrace\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious activities performed by the injected code.\u003c/li\u003e\n\u003cli\u003eConsider memory dumping the child process for further analysis, to examine if malicious code exists.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-suspicious-process-calltrace/","summary":"The rule identifies suspicious process creation where a process is created and immediately accessed from an unknown memory code region by the same parent process, indicating a potential code injection attempt, specifically process hollowing, commonly targeting processes spawned by Microsoft Office applications, scripting engines, and command-line tools for defense evasion.","title":"Suspicious Process Creation Followed by Memory Access from Unknown Region","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-process-calltrace/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Acrobat Reader DC"],"_cs_severities":["medium"],"_cs_tags":["persistence","adobe","file_creation","hijack_execution_flow"],"_cs_type":"advisory","_cs_vendors":["Adobe"],"content_html":"\u003cp\u003eThis detection identifies a persistence technique where attackers replace Adobe Acrobat Reader\u0026rsquo;s \u003ccode\u003eRdrCEF.exe\u003c/code\u003e with a malicious executable. This allows the attacker to gain persistence, as their malicious file will be executed every time the user launches Adobe Acrobat Reader DC. The rule focuses on detecting the file creation event of a file named \u003ccode\u003eRdrCEF.exe\u003c/code\u003e in the Adobe Acrobat Reader directory. The targeted versions are those using the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file located within the \u003ccode\u003eAcroCEF\u003c/code\u003e subdirectory. The purpose of this technique is to maintain unauthorized access to a compromised system. This technique was publicly discussed on Twitter as early as 2018.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an existing compromise or vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file within the Adobe Acrobat Reader installation directory (e.g., \u003ccode\u003eC:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe legitimate \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file is either deleted or renamed.\u003c/li\u003e\n\u003cli\u003eA malicious executable is created or copied and renamed to \u003ccode\u003eRdrCEF.exe\u003c/code\u003e in the same directory.\u003c/li\u003e\n\u003cli\u003eThe system is used as normal, and whenever Adobe Acrobat Reader DC is launched, the malicious \u003ccode\u003eRdrCEF.exe\u003c/code\u003e is executed.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as establishing a reverse shell, injecting code into other processes, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack allows the attacker to maintain persistent access to the compromised system. The attacker can then perform various malicious activities, such as stealing sensitive data, installing additional malware, or using the system as a foothold for lateral movement within the network. The compromise affects any user who launches Adobe Acrobat Reader on the infected machine.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to detect the creation of \u003ccode\u003eRdrCEF.exe\u003c/code\u003e in the specified Adobe Acrobat Reader directories to enable the rule \u0026ldquo;Deprecated - Adobe Hijack Persistence\u0026rdquo; (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Adobe RdrCEF.exe File Creation\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule, focusing on identifying the origin and purpose of the created \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process execution originating from the \u003ccode\u003eRdrCEF.exe\u003c/code\u003e file location.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-adobe-hijack-persistence/","summary":"Attackers can maintain persistence by replacing the legitimate RdrCEF.exe executable with a malicious one, which is executed every time Adobe Acrobat Reader is launched.","title":"Adobe RdrCEF.exe Hijack for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-adobe-hijack-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Adobe","version":"https://jsonfeed.org/version/1.1"}