From 142a26a0106b9acea7dbb456b00dd10edd76572a Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 10 Feb 2021 14:08:37 +0100 Subject: [PATCH] [New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886) * [New Rule] Suspicious Adobe Acrobat Updates Service Child Process * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...alation_exploit_adobe_acrobat_updater.toml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml new file mode 100644 index 000000000..e65eb3c9f --- /dev/null +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2021/01/19" +maturity = "production" +updated_date = "2021/01/19" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader +PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and +CVE-2020-9613 and verify that the impacted system is patched. +""" +false_positives = ["Trusted system or Adobe Acrobat Related processes."] +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious Child Process of Adobe Acrobat Reader Update Service" +references = [ + "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/", +] +risk_score = 73 +rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7" +severity = "high" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +type = "query" + +query = ''' +event.category:process and event.type:(start or process_started) and + process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and + user.name:root and + not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or + /usr/bin/codesign or + /private/var/folders/zz/*/T/download/ARMDCHammer or + /usr/sbin/pkgutil or + /usr/bin/shasum or + /usr/bin/perl* or + /usr/sbin/spctl or + /usr/sbin/installer) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"