AcroRd-Exploits | SOC Hunt Feed

Hunt Hypothesis

The AcroRd-Exploits rule detects potential exploitation of Adobe Reader vulnerabilities through suspicious process creation and registry modifications indicative of malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns leveraging known zero-day exploits.

KQL Query

 
// Search for persistence in Statup folder that's done by Adobe Acrobat Reader.
// Normally, this behavior is not expected.
DeviceFileEvents 
| where
    InitiatingProcessFileName =~ "acrord32.exe"
    and FolderPath contains "\\Start Menu\\Programs\\Startup"  
| project FolderPath, DeviceName, Timestamp, FileName, InitiatingProcessCommandLine, SHA1

Analytic Rule Definition

id: c87df1a7-fa54-4730-bc90-cbc1f8ac01aa
name: AcroRd-Exploits
description: |
  The following query look for suspicious behaviors observed by the samples analyzed in the report.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
query: |2-
   
  // Search for persistence in Statup folder that's done by Adobe Acrobat Reader.
  // Normally, this behavior is not expected.
  DeviceFileEvents 
  | where
      InitiatingProcessFileName =~ "acrord32.exe"
      and FolderPath contains "\\Start Menu\\Programs\\Startup"  
  | project FolderPath, DeviceName, Timestamp, FileName, InitiatingProcessCommandLine, SHA1

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Exploits/AcroRd-Exploits.yaml)

False Positive Guidance

Scenario: A legitimate scheduled job runs a script that uses AcroRd32.exe to generate PDF reports from data in a SQL database.
Filter/Exclusion: Exclude processes where the parent process is sqlservr.exe and the command line includes generate_pdf_report.bat.
Scenario: An administrator uses Adobe Acrobat Reader to open a PDF file that contains embedded JavaScript for form validation.
Filter/Exclusion: Exclude processes where the parent process is explorer.exe and the file path ends with .pdf with a known internal file signature.
Scenario: A system update task uses a tool like PowerShell to run a script that temporarily invokes AcroRd32.exe to extract embedded fonts from a PDF for compatibility checks.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the command line includes extract_fonts.ps1.
Scenario: A developer uses Adobe Acrobat Reader to debug a PDF form that includes a custom action using JavaScript.
Filter/Exclusion: Exclude processes where the parent process is devenv.exe and the file path contains debug_form.pdf.
Scenario: A backup job uses a tool like RoboCopy to copy PDF files from a shared folder, which temporarily invokes AcroRd32.exe as part of a legacy file conversion utility.
Filter/Exclusion: Exclude processes where the parent process is robocopy.exe and the file path contains backup_pdf_files.bat.