title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: experimental
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
author: Alejandro Ortuno, oscd.community
date: 2020/10/23
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
logsource:
  category: file_event
  product: macos
detection:
  selection_1:
    TargetFilename|contains: '/etc/emond.d/rules/'
    TargetFilename|endswith: '.plist'
  selection_2:
    TargetFilename|contains: '/private/var/db/emondClients/'
  condition: selection_1 or selection_2
falsepositives:
    - Legitimate administration activities
level: medium
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1546.014