security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/linux/macos/file_event/macos_emond_launch_daemon.yml
T
frack113 01dc930c17 Change status for old rules
2021-11-27 11:33:14 +01:00

28 lines
921 B
YAML
Raw Blame History

title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
author: Alejandro Ortuno, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
date: 2020/10/23
modified: 2021/11/27
logsource:
category: file_event
product: macos
detection:
selection_1:
TargetFilename|contains: '/etc/emond.d/rules/'
TargetFilename|endswith: '.plist'
selection_2:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: selection_1 or selection_2
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.014
Reference in New Issue View Git Blame Copy Permalink