MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Sigma rule (View on GitHub)
1title: MacOS Emond Launch Daemon
2id: 23c43900-e732-45a4-8354-63e4a6c187ce
3status: test
4description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
7 - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
8author: Alejandro Ortuno, oscd.community
9date: 2020/10/23
10modified: 2021/11/27
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1546.014
15logsource:
16 category: file_event
17 product: macos
18detection:
19 selection_1:
20 TargetFilename|contains: '/etc/emond.d/rules/'
21 TargetFilename|endswith: '.plist'
22 selection_2:
23 TargetFilename|contains: '/private/var/db/emondClients/'
24 condition: 1 of selection_*
25falsepositives:
26 - Legitimate administration activities
27level: medium
References
Related rules
- Startup Items
- Addition of SID History to Active Directory Object
- MITRE BZAR Indicators for Persistence
- Scheduled Task/Job At
- Password Change on Directory Service Restore Mode (DSRM) Account