KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious 0 Day Adobe Reader Process Activity

Query

# *Suspicious 0-Day Adobe Reader Process Activity*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1571 | Non-Standard Port | https://attack.mitre.org/techniques/T1571 |
| T1071 | Application Layer Protocol | https://attack.mitre.org/techniques/T1071 |


#### Description

This query identifies 0-Day (April 2026) behavior linked to Adobe Acrobat and Reader. It first filters for devices where Adobe processes have established network connections over non-standard ports (excluding 80 and 443) to public IP addresses. It then correlates these specific devices with file events where Adobe processes attempt to access critical system files like ntdll.dll or bootsvc.dll within the System32 directory. This pattern can be an indicator of unauthorized code execution or DLL sideloading attempts targeting PDF readers.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- 


## Defender XDR
```KQL
let NetEventDevices = DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe", "AdobeCollabSync.exe")
| where RemotePort !in (443, 80)
// thx to Jakub Szumera for the Advise to using the next line instead of RemoteIPType
| where not(ipv4_is_private(RemoteIP))
| project DeviceName;
DeviceFileEvents
| where Timestamp > ago(30d)
| where DeviceName in (NetEventDevices)
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe")
| where FileName in~ ("ntdll.dll", "bootsvc.dll")
| where FolderPath startswith "C:\\Windows\\System32"

```

Explanation

This query is designed to detect potentially suspicious activities involving Adobe Acrobat and Reader processes on devices. Here's a simple breakdown of what it does:

  1. Identify Network Connections: It first looks for devices where Adobe-related processes (like AcroRd32.exe, Acrobat.exe, and AdobeCollabSync.exe) have made network connections over non-standard ports (any port other than 80 and 443) to public IP addresses. This is unusual because standard ports are typically used for web traffic, and using non-standard ports could indicate suspicious activity.

  2. Correlate with File Access: After identifying these devices, the query checks if the same Adobe processes on these devices have tried to access critical system files, specifically "ntdll.dll" or "bootsvc.dll", located in the "C:\Windows\System32" directory. Accessing these files can be a sign of unauthorized code execution or attempts to manipulate system operations, which could be indicative of a security threat.

  3. Time Frame: The query focuses on events that occurred within the last 30 days.

Overall, this query helps in identifying potential security threats by correlating unusual network activity with suspicious file access attempts, which could be indicative of a zero-day vulnerability being exploited in Adobe Reader or Acrobat.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: April 10, 2026

Tables

DeviceNetworkEventsDeviceFileEvents

Keywords

Devices

Operators

let|where>agoin~!innotipv4_is_privateprojectinstartswith

Actions