Adversaries may use a flash player update from a suspicious location to deploy malicious payloads or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise vectors associated with outdated or malicious software updates.
Detection Rule
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.defense-evasion
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
imWebSession
| where (Url contains "/flash_install.php" or Url endswith "/install_flash_player.exe") and (not(HttpHost endswith ".adobe.com"))Scenario: Scheduled System Maintenance Task
Description: A system administrator schedules a maintenance task using Task Scheduler to update Flash Player from a trusted Microsoft update source.
Filter/Exclusion: Exclude processes initiated by Task Scheduler with the source URL matching Microsoft’s official update server.
Scenario: Flash Player Auto-Update via Adobe Enterprise Server
Description: An enterprise uses Adobe Enterprise Server to push updates to Flash Player across the network, which may trigger the rule if the server is not recognized.
Filter/Exclusion: Exclude updates originating from Adobe Enterprise Server or internal update repositories with known IP ranges.
Scenario: Flash Player Update via Puppet or Ansible Configuration Management
Description: A DevOps team uses Puppet or Ansible to deploy Flash Player updates across multiple servers, which may be flagged as coming from an unofficial source.
Filter/Exclusion: Exclude processes initiated by Puppet or Ansible agents, or filter by known configuration management tool binaries.
Scenario: Flash Player Update via SCCM (System Center Configuration Manager)
Description: An IT department uses SCCM to deploy Flash Player updates to endpoints, which may be misclassified as coming from an unofficial location.
Filter/Exclusion: Exclude processes initiated by SCCM or filter by the SCCM client service name.
Scenario: Flash Player Update via Group Policy Object (GPO)
Description: A GPO is configured to deploy Flash Player updates, which may be flagged due to the update source not being recognized as official.
Filter/Exclusion: Exclude processes initiated by Group Policy Client or filter by the GPO update deployment method.