Asr Adobe Reader Child Process Audited Detection Rule

# Rule : Detection of Adobe Reader Child Processes throug ASR ## Description This detection rule identifies child processes spawned by Adobe Reader that have been audited by Advanced Security Rules (ASR). Monitoring for child processes created by Adobe Reader is important because malicious actors can exploit vulnerabilities or use malicious PDFs to launch additional processes, executing malicious payloads. This rule focuses on identifying potentially suspicious activities initiated by Adobe Reader, providing early detection of possible threats. This rule helps identify and audit unusual child processes initiated by Adobe Reader, serving as an early warning for potential malicious activities. ## Detection Logic - Monitors `DeviceEvents` for events where: - The `ActionType` is "AsrAdobeReaderChildProcessAudited". ## Tags - Adobe Reader - Child Processes - PDF Security - Malware - Advanced Security Rules (ASR) - Suspicious Activity ## Search Query ```kql DeviceEvents | where ActionType == "AsrAdobeReaderChildProcessAudited" ```

Explanation

This query is designed to detect suspicious activities by monitoring child processes created by Adobe Reader. It uses Advanced Security Rules (ASR) to audit these processes. The goal is to identify potential threats early, as malicious actors might exploit Adobe Reader to execute harmful actions. The query specifically looks for events where the action type is "AsrAdobeReaderChildProcessAudited" in the DeviceEvents data.

In simple terms:

Purpose: To catch unusual or potentially harmful activities initiated by Adobe Reader.
How: By checking for specific security events logged by ASR.
Query: It filters device events to find those where Adobe Reader has created a child process that was audited by ASR.

KQL Search

Asr Adobe Reader Child Process Audited Detection Rule

Query

Explanation

Details

Actions