Detection focuses on identifying unauthorized file creation or modification within /etc/emond.d/rules/ or /private/var/db/emondClients, which indicate attempts to register a malicious emond rule. Correlate with process execution of /sbin/emond and any launched commands it invokes, especially during boot or login events. Anomalies may include rules created by non-root users or unexpected shell commands executed by emond.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | macos:unifiedlog | file create or modify in /etc/emond.d/rules or /private/var/db/emondClients |
| Process Creation (DC0032) | macos:unifiedlog | execution of /sbin/emond with child processes launched |
| File Modification (DC0061) | macos:unifiedlog | rule definitions written to emond rule plists |
| Command Execution (DC0064) | macos:unifiedlog | command execution triggered by emond (e.g., shell, curl, python) |
| Field | Description |
|---|---|
| PathPrefix | Paths such as `/etc/emond.d/rules/` and `/private/var/db/emondClients` may vary slightly or be symlinked in some setups |
| TimeWindow | The time range for correlating rule file creation to emond execution may be tuned based on system performance and usage |
| ParentProcessFilter | Defenders may wish to restrict alerts to emond processes not spawned from trusted system update or provisioning tools |
| CommandPatternList | List of known suspicious commands or binaries used by adversaries (e.g., reverse shells, persistence scripts) |