trusted system or adobe acrobat related processes.

Techniques

T1068

Sample rules

Suspicious Child Process of Adobe Acrobat Reader Update Service

source: elastic
technicques:
- T1068

Description

Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.

Detection logic

process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.parent.name like "com.adobe.ARMDC.SMJobBlessHelper" and
  user.name == "root" and
  not process.executable like ("/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper",
                               "/usr/bin/codesign",
                               "/private/var/folders/zz/*/T/download/ARMDCHammer",
                               "/usr/sbin/pkgutil",
                               "/usr/bin/shasum",
                               "/usr/bin/perl*",
                               "/usr/sbin/spctl",
                               "/usr/sbin/installer",
                               "/usr/bin/csrutil")