[metadata] creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/02/22" [rule] author = ["Elastic"] description = """ Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched. """ false_positives = ["Trusted system or Adobe Acrobat Related processes."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Child Process of Adobe Acrobat Reader Update Service" references = [ "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/", ] risk_score = 73 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7" severity = "high" tags = [ "Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "CVE-2020-9615", "CVE-2020-9614", "CVE-2020-9613", ] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and host.os.type:macos and event.type:(start or process_started) and process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and user.name:root and not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or /usr/bin/codesign or /private/var/folders/zz/*/T/download/ARMDCHammer or /usr/sbin/pkgutil or /usr/bin/shasum or /usr/bin/perl* or /usr/sbin/spctl or /usr/sbin/installer or /usr/bin/csrutil) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/"