Adversaries may use RegEdit.EXE to create malicious PDF files as part of a persistence or exfiltration tactic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert data transfer or command and control activities.
Detection Rule
title: PDF File Created By RegEdit.EXE
id: 145095eb-e273-443b-83d0-f9b519b7867b
status: test
description: |
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
references:
- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-08
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
TargetFilename|endswith: '.pdf'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFilePath endswith "\\regedit.exe" and TargetFileName endswith ".pdf"Scenario: A system administrator uses RegEdit.EXE to create a temporary configuration file for a service or application.
Filter/Exclusion: Exclude files created by RegEdit.EXE in the %TEMP% directory or system-specific paths like C:\Windows\Temp.
Scenario: A scheduled task runs a script that uses RegEdit.EXE to generate a log file or configuration file for auditing purposes.
Filter/Exclusion: Exclude files created by scheduled tasks with known names or paths, such as C:\Windows\System32\Tasks\*.
Scenario: A developer uses RegEdit.EXE to create a test PDF file for documentation or demonstration in a development environment.
Filter/Exclusion: Exclude files created in development directories like C:\Dev\* or with specific file names like test_document.pdf.
Scenario: A system update or patching tool uses RegEdit.EXE to generate a report or log file during the update process.
Filter/Exclusion: Exclude files created by known update tools (e.g., Windows Update, SCCM) in their respective log directories.
Scenario: An IT support tool or remote management software uses RegEdit.EXE to create a diagnostic PDF file for troubleshooting.
Filter/Exclusion: Exclude files created by specific support tools (e.g., Microsoft Endpoint Manager, SCCM, or third-party remote access tools) in their designated output directories.