From 11df6c2566657d611b4bc8d6b2b19480c5efd390 Mon Sep 17 00:00:00 2001
From: Alejandro Ortuno <alejandro.ortuno@auth0.com>
Date: Fri, 23 Oct 2020 10:16:59 +0200
Subject: [PATCH] Sigma rule

---
 rules/linux/macos_emond_launch_daemon.yml | 26 +++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/linux/macos_emond_launch_daemon.yml

diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos_emond_launch_daemon.yml
new file mode 100644
index 000000000..1c904a61b
--- /dev/null
+++ b/rules/linux/macos_emond_launch_daemon.yml
@@ -0,0 +1,26 @@
+title: MacOS Emond Launch Daemon
+id: 23c43900-e732-45a4-8354-63e4a6c187ce
+status: experimental
+description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/23
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
+    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+logsource:
+  category: file_event
+  product: macos
+detection:
+  selection_1:
+    TargetFilename|contains: '/etc/emond.d/rules/'
+    TargetFilename|endswith: '.plist'
+  selection_2:
+    TargetFilename|contains: '/private/var/db/emondClients/'
+  condition: selection_1 or selection_2
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1546.014