KQL Search

Query Details

Suspicious 0 Day Adobe Reader Process Activity

Query

# *Suspicious 0-Day Adobe Reader Process Activity*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1571 | Non-Standard Port | https://attack.mitre.org/techniques/T1571 |
| T1071 | Application Layer Protocol | https://attack.mitre.org/techniques/T1071 |


#### Description

This query identifies 0-Day (April 2026) behavior linked to Adobe Acrobat and Reader. It first filters for devices where Adobe processes have established network connections over non-standard ports (excluding 80 and 443) to public IP addresses. It then correlates these specific devices with file events where Adobe processes attempt to access critical system files like ntdll.dll or bootsvc.dll within the System32 directory. This pattern can be an indicator of unauthorized code execution or DLL sideloading attempts targeting PDF readers.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://gist.github.com/N3mes1s/9e55e8d781235ee256d5b3f6720222dd


## Defender XDR
```KQL
let NetEventDevices = DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe", "AdobeCollabSync.exe")
| where RemotePort !in (443, 80)
// thx to Jakub Szumera for the Advise to using the next line instead of RemoteIPType
| where not(ipv4_is_private(RemoteIP))
| project DeviceName;
DeviceFileEvents
| where Timestamp > ago(30d)
| where DeviceName in (NetEventDevices)
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe")
| where FileName in~ ("ntdll.dll", "bootsvc.dll")
| where FolderPath startswith "C:\\Windows\\System32"

```

Explanation

This query is designed to detect potentially suspicious activities involving Adobe Acrobat and Reader processes on a network. Here's a simplified breakdown of what it does:

  1. Focus on Adobe Processes: It looks for network activities initiated by specific Adobe processes, namely AcroRd32.exe, Acrobat.exe, and AdobeCollabSync.exe.

  2. Non-Standard Ports: It filters out connections made over standard web ports (80 and 443), focusing instead on connections over other ports, which might indicate unusual or suspicious behavior.

  3. Public IP Connections: The query further narrows down to connections made to public IP addresses, excluding private network IPs, which could suggest external communication attempts.

  4. Device Correlation: It identifies devices involved in such network activities.

  5. File Access Monitoring: For these devices, it checks if the same Adobe processes are trying to access critical system files (ntdll.dll or bootsvc.dll) located in the C:\Windows\System32 directory.

  6. Potential Threat Indicator: This pattern of behavior—Adobe processes connecting over non-standard ports to public IPs and accessing critical system files—could indicate unauthorized code execution or attempts to sideload malicious DLLs, which are tactics used in cyber attacks.

Overall, the query aims to spot early signs of a potential security threat involving Adobe Reader and Acrobat, which could be exploiting a zero-day vulnerability.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: April 10, 2026

Tables

DeviceNetworkEventsDeviceFileEvents

Keywords

Devices

Operators

let|wherein~!innotipv4_is_privateprojectinstartswith

Actions