Emond
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon on macOS that accepts events from various services, runs them through a simple rule engine, and takes action. The emond rules files are stored at /etc/emond.d/rules/ and rules are defined in plist format. Adversaries can write malicious event rules to these files to execute arbitrary code when a matching event occurs. Emond runs as root — any process or command triggered by an emond rule executes with root privileges, making this both a persistence and privilege escalation technique.
DeviceFileEvents
| where Timestamp > ago(24h)
| where DeviceOSPlatform has_any ("macOS", "Mac", "Darwin")
| where (
FolderPath has "/etc/emond.d/rules/"
or FolderPath has "/etc/emond.d/"
or (FileName endswith ".plist" and FolderPath has "emond")
)
| where ActionType in ("FileCreated", "FileModified")
| extend IsRulesDir = FolderPath has "/etc/emond.d/rules/"
| extend IsNewPlist = FileName endswith ".plist"
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
IsRulesDir, IsNewPlist,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp descData Sources
Required Tables
False Positives
- macOS system software updates that modify or add emond rule files as part of OS configuration
- Enterprise macOS management tools (Jamf Pro, Munki) that deploy emond rules as part of system configuration management
- Security monitoring products that use emond for system event monitoring on macOS
- Legitimate IT operations that create emond rules for custom alerting or automation workflows
Unlock Pro Content
Get the full detection package for T1546.014 including response playbook, investigation guide, and atomic red team tests.