Emond

Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.[1][2][3]

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.[1][2][3] Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.

ID: T1519
Tactic: Persistence, Privilege Escalation
Platform: macOS
Permissions Required: Administrator
Data Sources: File monitoring, API monitoring
Contributors: Ivan Sinyakov
Version: 1.0

Mitigations

Mitigation Description
Disable or Remove Feature or Program Consider disabling emond by removing the Launch Daemon plist file.

Detection

Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.

References