Detectionmediumtest

MacOS Emond Launch Daemon

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alejandro Ortuno, oscd.communityCreated Fri Oct 23Updated Sat Nov 2723c43900-e732-45a4-8354-63e4a6c187cemacos

Log Source

macOSFile Event

ProductmacOS← raw: macos

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection_1:
        TargetFilename|contains: '/etc/emond.d/rules/'
        TargetFilename|endswith: '.plist'
    selection_2:
        TargetFilename|contains: '/private/var/db/emondClients/'
    condition: 1 of selection_*

False Positives

Legitimate administration activities

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Other

attack.t1546.014

Rule Metadata

Rule ID

23c43900-e732-45a4-8354-63e4a6c187ce

Status

test

Level

medium

Type

Detection

Created

Fri Oct 23

Modified

Sat Nov 27

Author

Alejandro Ortuno, oscd.community

Path

rules/macos/file_event/file_event_macos_emond_launch_daemon.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1546.014

View on GitHub