The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« Adding Hidden File Attribute via Attrib Adversary Behavior - Detected - Elastic Endpoint »

› › ›

Adobe Hijack Persistence

edit

Adobe Hijack Persistence

edit

Detects the creation of an executable file or files that will be automatically run by Acrobat Reader when it starts.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

Elastic
Windows

Version: 2 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.6.2

Rule query

edit

file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader
DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat
Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
(rule: FileCreate)" and not process.name:msiexec.exe

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: File System Permissions Weakness
- ID: T1044
- Reference URL: https://attack.mitre.org/techniques/T1044/

Rule version history

edit

Version 2 (7.6.2 release)

Updated query, changed from:

file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader
DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat
Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
(rule: FileCreate)" and not process.name:msiexeec.exe

« Adding Hidden File Attribute via Attrib Adversary Behavior - Detected - Elastic Endpoint »