Suspicious Child Process of Adobe Acrobat Reader Update Service

calendar Sep 5, 2023 · Domain: Endpoint OS: macOS Use Case: Threat Detection Tactic: Privilege Escalation Use Case: Vulnerability Data Source: Elastic Defend  ·
Share on: linkedin copy

Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/19"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader
13PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and
14CVE-2020-9613 and verify that the impacted system is patched.
15"""
16false_positives = ["Trusted system or Adobe Acrobat Related processes."]
17from = "now-9m"
18index = ["auditbeat-*", "logs-endpoint.events.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Suspicious Child Process of Adobe Acrobat Reader Update Service"
22references = [
23    "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/",
24]
25risk_score = 73
26rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7"
27severity = "high"
28tags = [
29    "Domain: Endpoint",
30    "OS: macOS",
31    "Use Case: Threat Detection",
32    "Tactic: Privilege Escalation",
33    "Use Case: Vulnerability",
34    "Data Source: Elastic Defend"
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.category:process and host.os.type:macos and event.type:(start or process_started) and
41  process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and
42  user.name:root and
43  not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or
44                           /usr/bin/codesign or
45                           /private/var/folders/zz/*/T/download/ARMDCHammer or
46                           /usr/sbin/pkgutil or
47                           /usr/bin/shasum or
48                           /usr/bin/perl* or
49                           /usr/sbin/spctl or
50                           /usr/sbin/installer or
51                           /usr/bin/csrutil)
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1068"
59name = "Exploitation for Privilege Escalation"
60reference = "https://attack.mitre.org/techniques/T1068/"
61
62
63[rule.threat.tactic]
64id = "TA0004"
65name = "Privilege Escalation"
66reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top