Techniques
Sample rules
Windows Phishing PDF File Executes URL Link
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic detects suspicious PDF viewer processes spawning browser application child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it may indicate a PDF spear-phishing attempt where a malicious URL link is executed, leading to potential payload download. If confirmed malicious, this could allow attackers to execute code, escalate privileges, or persist in the environment by exploiting the user’s browser to connect to a malicious site.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("AcroRd32.exe", "FoxitPDFReader.exe") Processes.process_name IN ("firefox.exe", "chrome.exe", "iexplore.exe") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest
|`drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_phishing_pdf_file_executes_url_link_filter`