Suspicious Emond Child Process

  1[metadata]
  2creation_date = "2021/01/11"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this
 11service by writing a rule to execute commands when a defined event occurs, such as system start up or user
 12authentication.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Emond Child Process"
 19references = [
 20    "https://www.xorrior.com/emond-persistence/",
 21    "https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer",
 22]
 23risk_score = 47
 24rule_id = "3e3d15c6-1509-479a-b125-21718372157e"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "medium"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: macOS",
 54    "Use Case: Threat Detection",
 55    "Tactic: Persistence",
 56    "Data Source: Elastic Defend",
 57    "Resources: Investigation Guide",
 58]
 59timestamp_override = "event.ingested"
 60type = "eql"
 61
 62query = '''
 63process where host.os.type == "macos" and event.type in ("start", "process_started") and
 64 process.parent.name : "emond" and
 65 process.name : (
 66   "bash",
 67   "dash",
 68   "sh",
 69   "tcsh",
 70   "csh",
 71   "zsh",
 72   "ksh",
 73   "fish",
 74   "Python",
 75   "python*",
 76   "perl*",
 77   "php*",
 78   "osascript",
 79   "pwsh",
 80   "curl",
 81   "wget",
 82   "cp",
 83   "mv",
 84   "touch",
 85   "echo",
 86   "base64",
 87   "launchctl")
 88'''
 89note = """## Triage and analysis
 90
 91> **Disclaimer**:
 92> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 93
 94### Investigating Suspicious Emond Child Process
 95
 96The Event Monitor Daemon (emond) on macOS is a service that executes commands based on system events, like startup or user login. Adversaries exploit emond by crafting rules that trigger malicious scripts or commands during these events, enabling persistence. The detection rule identifies unusual child processes spawned by emond, such as shell scripts or command-line utilities, which are indicative of potential abuse.
 97
 98### Possible investigation steps
 99
100- Review the process details to confirm the parent process is indeed emond and check the specific child process name against the list of suspicious processes such as bash, python, or curl.
101- Investigate the command line arguments used by the suspicious child process to identify any potentially malicious commands or scripts being executed.
102- Check the timing of the event to see if it coincides with known system events like startup or user login, which could indicate an attempt to establish persistence.
103- Examine the user account associated with the process to determine if it is a legitimate user or potentially compromised account.
104- Look for any recent changes to emond rules or configuration files that could have been modified to trigger the suspicious process execution.
105- Correlate this event with other security alerts or logs from the same host to identify any patterns or additional indicators of compromise.
106
107### False positive analysis
108
109- System maintenance scripts may trigger the rule if they use shell scripts or command-line utilities. Review scheduled tasks or maintenance scripts and exclude them if they are verified as non-threatening.
110- Legitimate software installations or updates might spawn processes like bash or curl. Monitor installation logs and exclude these processes if they align with known software updates.
111- User-initiated scripts for automation or customization can cause alerts. Verify the user's intent and exclude these processes if they are part of regular user activity.
112- Administrative tasks performed by IT staff, such as using launchctl for service management, may trigger the rule. Confirm these activities with IT staff and exclude them if they are part of routine administration.
113- Development environments on macOS might use interpreters like Python or Perl. Validate the development activities and exclude these processes if they are consistent with the developer's workflow.
114
115### Response and remediation
116
117- Isolate the affected macOS system from the network to prevent further malicious activity and lateral movement.
118- Terminate any suspicious child processes spawned by emond, such as shell scripts or command-line utilities, to halt ongoing malicious actions.
119- Review and remove any unauthorized or suspicious emond rules that may have been added to execute malicious commands during system events.
120- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms.
121- Restore any altered or deleted system files from a known good backup to ensure system integrity.
122- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
123- Implement enhanced monitoring and logging for emond and related processes to detect similar threats in the future, ensuring alerts are configured for unusual child processes."""
124
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1546"
130name = "Event Triggered Execution"
131reference = "https://attack.mitre.org/techniques/T1546/"
132[[rule.threat.technique.subtechnique]]
133id = "T1546.014"
134name = "Emond"
135reference = "https://attack.mitre.org/techniques/T1546/014/"
136
137
138
139[rule.threat.tactic]
140id = "TA0003"
141name = "Persistence"
142reference = "https://attack.mitre.org/tactics/TA0003/"