Detect Adobe Acrobat and Reader Heap-Based Buffer Overflow (CVE-2009-3459) in IBM QRadar
Detects exploitation of a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader (CVE-2009-3459). This CISA KEV vulnerability allows attackers to execute arbitrary code via a crafted PDF file. Exploitation typically results in AcroRd32.exe or Acrobat.exe spawning unexpected child processes, making unusual network connections, or writing executable payloads to disk.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
"sourceip" AS host_ip,
"username" AS user,
"ParentProcessPath" AS parent_process,
"ProcessPath" AS child_process,
"CommandLine" AS command_line,
CASE
WHEN "ProcessPath" ILIKE '%cmd.exe%' OR "ProcessPath" ILIKE '%powershell.exe%' THEN 'Suspicious child process spawned'
WHEN "EventID" = '3' THEN 'Outbound network connection'
WHEN "EventID" = '11' THEN 'Executable file dropped'
ELSE 'Generic Adobe Reader anomaly'
END AS detection_reason
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
"ParentProcessPath" ILIKE '%AcroRd32.exe%' OR
"ParentProcessPath" ILIKE '%Acrobat.exe%' OR
"ParentProcessPath" ILIKE '%AcroBroker.exe%'
)
AND (
("ProcessPath" ILIKE '%cmd.exe%' OR "ProcessPath" ILIKE '%powershell.exe%' OR
"ProcessPath" ILIKE '%wscript.exe%' OR "ProcessPath" ILIKE '%mshta.exe%' OR
"ProcessPath" ILIKE '%rundll32.exe%')
OR ("EventID" = '3' AND NOT ("destinationip" ILIKE '10.%' OR "destinationip" ILIKE '192.168.%' OR "destinationip" ILIKE '172.%'))
OR ("EventID" = '11' AND ("TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll' OR "TargetFilename" ILIKE '%.ps1'))
)
LAST 24 HOURS
ORDER BY event_time DESCQRadar AQL query correlating Windows Security and Sysmon logs to identify Adobe Reader or Acrobat spawning shells, making external connections, or dropping binaries — key exploitation indicators for CVE-2009-3459.
Data Sources
Required Tables
False Positives & Tuning
- Adobe Acrobat Pro automation scripts invoked by business users
- PDF-to-image or PDF-to-Word converters using Adobe Reader as a subprocess
- Security scanners that open PDFs to extract metadata
Other platforms for CVE-2009-3459
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Adobe Reader Spawning cmd.exe
Expected signal: Sysmon Event ID 1: process creation with ParentImage matching AcroRd32.exe and Image matching cmd.exe; DeviceProcessEvents in Defender with InitiatingProcessFileName=AcroRd32.exe and FileName=cmd.exe.
- Test 2Simulate Adobe Reader Writing Executable to Temp
Expected signal: Sysmon Event ID 11: TargetFilename=C:\Temp\payload.exe, Image matching AcroRd32.exe; DeviceFileEvents in Defender with InitiatingProcessFileName=AcroRd32.exe and FileName=payload.exe.
- Test 3Simulate Adobe Reader Making Outbound Network Connection
Expected signal: Sysmon Event ID 3: Image matching AcroRd32.exe, DestinationIp=93.184.216.34, DestinationPort=80; DeviceNetworkEvents in Defender with InitiatingProcessFileName=AcroRd32.exe and non-RFC1918 RemoteIP.
- Test 4Open Malicious PDF in Sandboxed Adobe Reader (Lab Only)
Expected signal: Heap spray artifacts in AcroRd32.exe memory; child process creation events; potential shellcode execution visible in memory forensics; network connection attempt if payload is weaponized.
References (3)
- https://www.cisa.gov/news-events/alerts/2009/10/13/adobe-reader-and-acrobat-vulnerabilities
- https://web.archive.org/web/20120324170253/http://www.adobe.com/support/security/bulletins/apsb09-15.html#:~:text=CVE%2D2009%2D3459).-,NOTE%3A,-There%20are%20reports
- https://nvd.nist.gov/vuln/detail/CVE-2009-3459
Unlock Pro Content
Get the full detection package for CVE-2009-3459 including response playbook, investigation guide, and atomic red team tests.