Techniques
Sample rules
Suspicious Child Process of Adobe Acrobat Reader Update Service
- source: elastic
- technicques:
- T1068
Description
Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.
Detection logic
process where host.os.type == "macos" and event.type in ("start", "process_started") and
process.parent.name like "com.adobe.ARMDC.SMJobBlessHelper" and
user.name == "root" and
not process.executable like ("/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper",
"/usr/bin/codesign",
"/private/var/folders/zz/*/T/download/ARMDCHammer",
"/usr/sbin/pkgutil",
"/usr/bin/shasum",
"/usr/bin/perl*",
"/usr/sbin/spctl",
"/usr/sbin/installer",
"/usr/bin/csrutil")