Query Details
KQL Wiz PDF NTLM Leak Detector
Query
// KQLWiz PDF NTLM Leak Detector // https://cybersecuritynews.com/zero-day-vulnerability-in-pdf-files-leaking-ntlm-data-in-adobe-foxit-reader/ DeviceFileEvents | where ActionType == "FileCreated" and FileName endswith ".pdf" | where parse_json(AdditionalFields)["FileType"] == 'PDF' | where InitiatingProcessUniqueId != 0 | join DeviceNetworkEvents on InitiatingProcessUniqueId | where RemotePort == "445" and Protocol == "Tcp"
Explanation
This KQL query is designed to detect potential NTLM data leaks related to PDF files. Here's a simple breakdown of what it does:
-
Source Table: It starts by looking at events related to files on devices (
DeviceFileEvents). -
Filter for PDF Creation: It filters the events to find instances where a file was created (
ActionType == "FileCreated") and the file name ends with ".pdf". It further checks that the file type is identified as 'PDF' in additional fields. -
Exclude System Processes: It ensures that the process creating the file is not a system process by checking that
InitiatingProcessUniqueIdis not zero. -
Join with Network Events: It then joins this data with network events (
DeviceNetworkEvents) using the unique identifier of the initiating process. -
Filter for Specific Network Activity: Finally, it filters the network events to find connections made over TCP protocol to port 445, which is commonly used for SMB (Server Message Block) communication.
In essence, this query is looking for instances where a PDF file is created and the process that created it subsequently makes a network connection to port 445, which could indicate a potential NTLM data leak vulnerability being exploited.
Details
Steven Lim
Released: January 16, 2025
Tables
Keywords
Operators