LoFP LoFP / trusted system or adobe acrobat related processes.

Techniques

Sample rules

Suspicious Child Process of Adobe Acrobat Reader Update Service

Description

Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.

Detection logic

process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.parent.name like "com.adobe.ARMDC.SMJobBlessHelper" and
  user.name == "root" and
  not process.executable like ("/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper",
                               "/usr/bin/codesign",
                               "/private/var/folders/zz/*/T/download/ARMDCHammer",
                               "/usr/sbin/pkgutil",
                               "/usr/bin/shasum",
                               "/usr/bin/perl*",
                               "/usr/sbin/spctl",
                               "/usr/sbin/installer",
                               "/usr/bin/csrutil")