Adobe Acrobat and Reader Heap-Based Buffer Overflow (CVE-2009-3459)

let suspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe", "explorer.exe"]);
let adobeProcs = dynamic(["AcroRd32.exe", "Acrobat.exe", "AcroBroker.exe"]);
union
(
  DeviceProcessEvents
  | where InitiatingProcessFileName has_any (adobeProcs)
  | where FileName has_any (suspiciousChildren)
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
  | extend DetectionReason = "Adobe Reader/Acrobat spawned suspicious child process"
),
(
  DeviceNetworkEvents
  | where InitiatingProcessFileName has_any (adobeProcs)
  | where RemotePort in (80, 443, 445, 4444, 8080, 8443)
  | where RemoteIPType != "Private"
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
  | extend DetectionReason = "Adobe Reader/Acrobat initiated outbound network connection"
),
(
  DeviceFileEvents
  | where InitiatingProcessFileName has_any (adobeProcs)
  | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bat" or FileName endswith ".ps1"
  | where FolderPath has_any ("\\Temp\\", "\\AppData\\", "\\Public\\", "\\Downloads\\")
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath
  | extend DetectionReason = "Adobe Reader/Acrobat dropped executable to writable path"
)
| summarize count() by TimeGenerated, DeviceName, AccountName, DetectionReason
| sort by TimeGenerated desc

index=* sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "crowdstrike:events:sensor")
| eval parent_proc=coalesce(ParentImage, parent_process_name, ParentProcessName)
| eval child_proc=coalesce(Image, process_name, NewProcessName)
| where match(parent_proc, "(?i)(AcroRd32\.exe|Acrobat\.exe|AcroBroker\.exe)")
| eval suspicious_child=if(match(child_proc, "(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)"), 1, 0)
| eval network_event=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=3, 1, 0)
| eval file_drop=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=11 AND match(TargetFilename, "(?i)\.(exe|dll|bat|ps1|vbs)$") AND match(TargetFilename, "(?i)(temp|appdata|public|downloads)"), 1, 0)
| where suspicious_child=1 OR network_event=1 OR file_drop=1
| eval detection_reason=case(suspicious_child=1, "Adobe Reader spawned suspicious child", file_drop=1, "Adobe Reader dropped executable", network_event=1, "Adobe Reader made network connection", true(), "Unknown")
| table _time, host, user, parent_proc, child_proc, CommandLine, detection_reason
| sort -_time

sequence by host.name with maxspan=2m
  [process where process.name : ("AcroRd32.exe", "Acrobat.exe", "AcroBroker.exe") and event.type == "start"]
  [any where
    (
      (event.category == "process" and process.parent.name : ("AcroRd32.exe", "Acrobat.exe", "AcroBroker.exe") and
       process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"))
      or
      (event.category == "network" and process.name : ("AcroRd32.exe", "Acrobat.exe") and
       not destination.ip : ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"))
      or
      (event.category == "file" and process.name : ("AcroRd32.exe", "Acrobat.exe") and
       file.extension : ("exe", "dll", "bat", "ps1", "vbs") and
       file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Public\\*"))
    )
  ]

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "sourceip" AS host_ip,
  "username" AS user,
  "ParentProcessPath" AS parent_process,
  "ProcessPath" AS child_process,
  "CommandLine" AS command_line,
  CASE
    WHEN "ProcessPath" ILIKE '%cmd.exe%' OR "ProcessPath" ILIKE '%powershell.exe%' THEN 'Suspicious child process spawned'
    WHEN "EventID" = '3' THEN 'Outbound network connection'
    WHEN "EventID" = '11' THEN 'Executable file dropped'
    ELSE 'Generic Adobe Reader anomaly'
  END AS detection_reason
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    "ParentProcessPath" ILIKE '%AcroRd32.exe%' OR
    "ParentProcessPath" ILIKE '%Acrobat.exe%' OR
    "ParentProcessPath" ILIKE '%AcroBroker.exe%'
  )
  AND (
    ("ProcessPath" ILIKE '%cmd.exe%' OR "ProcessPath" ILIKE '%powershell.exe%' OR
     "ProcessPath" ILIKE '%wscript.exe%' OR "ProcessPath" ILIKE '%mshta.exe%' OR
     "ProcessPath" ILIKE '%rundll32.exe%')
    OR ("EventID" = '3' AND NOT ("destinationip" ILIKE '10.%' OR "destinationip" ILIKE '192.168.%' OR "destinationip" ILIKE '172.%'))
    OR ("EventID" = '11' AND ("TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll' OR "TargetFilename" ILIKE '%.ps1'))
  )
LAST 24 HOURS
ORDER BY event_time DESC

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json field=_raw "EventID", "Image", "ParentImage", "CommandLine", "TargetFilename", "DestinationIp", "User" as event_id, image, parent_image, cmd_line, target_file, dest_ip, user nodrop
| where parent_image matches /(?i)(AcroRd32\.exe|Acrobat\.exe|AcroBroker\.exe)/
| eval suspicious_child = if(image matches /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)/, 1, 0)
| eval network_anomaly = if(event_id = "3" and !(dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)/ ), 1, 0)
| eval file_drop = if(event_id = "11" and (target_file matches /(?i)\.(exe|dll|bat|ps1|vbs)$/) and (target_file matches /(?i)(temp|appdata|public|downloads)/), 1, 0)
| where suspicious_child = 1 or network_anomaly = 1 or file_drop = 1
| eval detection_type = if(suspicious_child=1, "Shell Child", if(network_anomaly=1, "External Network", "Executable Drop"))
| count by _sourceHost, user, parent_image, image, detection_type
| sort by _count desc

rule cve_2009_3459_adobe_reader_heap_overflow {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2009-3459 Adobe Acrobat/Reader heap overflow exploitation via child process spawning or executable drop"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2009-3459"
    mitre_attack = "T1203"

  events:
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.process.file.full_path = /(?i)(AcroRd32\.exe|Acrobat\.exe|AcroBroker\.exe)/
    $e1.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)/
    $host = $e1.principal.hostname

  condition:
    $e1
}

#event_simpleName=ProcessRollup2
| ParentBaseFileName IN ["AcroRd32.exe", "Acrobat.exe", "AcroBroker.exe"]
| ImageFileName IN ["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]
| eval DetectionReason="Adobe Reader spawned shell or LOLBin"
| table _time, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, DetectionReason
| sort by _time desc

// Alternate: network-based detection
// #event_simpleName=NetworkConnectIP4
// | ImageFileName IN ["AcroRd32.exe", "Acrobat.exe"]
// | RemotePort IN [80, 443, 4444, 8080, 8443]
// | NOT cidrMatch(RemoteIP, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
// | table _time, ComputerName, UserName, ImageFileName, RemoteIP, RemotePort