APT NGO wuaclt PDF | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that the detection identifies potential adversary use of a malicious PDF file leveraging the wuaclt.exe utility, which may be part of an APT campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise attempts by advanced persistent threats.

YARA Rule

rule APT_NGO_wuaclt_PDF
{
        meta:
            author = "AlienVault Labs"

    strings:
        $pdf  = "%PDF" nocase
        $comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
    
    condition:
        $pdf at 0 and $comment in (0..200)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled PDF Conversion Job Using Adobe Acrobat
Description: A legitimate scheduled task runs Adobe Acrobat to convert PDFs to other formats.
Filter/Exclusion: process.name != "AcroRd32.exe" or check for process.parent.name == "Task Scheduler" and process.name == "AcroRd32.exe"
Scenario: System Update Using Windows Update Agent
Description: The Windows Update Agent (wuaclt.exe) is used to check for and install system updates.
Filter/Exclusion: process.name == "wuaclt.exe" and process.parent.name == "svchost.exe" with process.parent.arguments containing “Update”
Scenario: PDF Signing Using Adobe Sign (formerly DocuSign)
Description: An admin uses Adobe Sign to digitally sign PDF documents as part of a business process.
Filter/Exclusion: process.name == "AdobeSign.exe" or check for process.arguments containing “sign” or “signature”
Scenario: PDF Viewer Usage by End Users
Description: Employees open PDF files using a standard PDF viewer like Foxit Reader or Sumatra PDF.
Filter/Exclusion: process.name in ("FoxitReader.exe", "SumatraPDF.exe") and process.parent.name == "explorer.exe"
Scenario: Automated Report Generation Using Microsoft Excel
Description: A scheduled job generates reports using Excel and exports them to PDF format.
Filter/Exclusion: process.name == "EXCEL.EXE" and process.parent.name == "Task Scheduler" with process.arguments containing “export” or “pdf”