Detect Emond in Google Chronicle
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon on macOS that accepts events from various services, runs them through a simple rule engine, and takes action. The emond rules files are stored at /etc/emond.d/rules/ and rules are defined in plist format. Adversaries can write malicious event rules to these files to execute arbitrary code when a matching event occurs. Emond runs as root — any process or command triggered by an emond rule executes with root privileges, making this both a persistence and privilege escalation technique.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.014 Emond
- Canonical reference
- https://attack.mitre.org/techniques/T1546/014/
YARA-L Detection Query
rule macos_emond_rule_file_modification {
meta:
author = "Detection Engineering"
description = "Detects file creation or modification in the macOS emond rules directory (/etc/emond.d/rules/) which can indicate persistence or privilege escalation via the Event Monitor Daemon."
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1546.014"
severity = "HIGH"
confidence = "HIGH"
events:
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
$e.principal.platform = "MAC"
(
re.regex($e.target.file.full_path, `/etc/emond\.d/rules/.*`) or
re.regex($e.target.file.full_path, `/etc/emond\.d/.*`) or
(
re.regex($e.target.file.full_path, `.*emond.*\.plist`) or
re.regex($e.target.file.full_path, `.*\.plist`) and
re.regex($e.target.file.full_path, `.*emond.*`)
)
)
condition:
$e
}YARA-L 2.0 rule that detects FILE_CREATION or FILE_MODIFICATION UDM events on macOS hosts targeting the emond rules directory (/etc/emond.d/rules/) or emond-associated plist files. Matches Chronicle telemetry from macOS endpoint agents to identify adversarial use of the Event Monitor Daemon for persistence or root-level privilege escalation.
Data Sources
Required Tables
False Positives & Tuning
- MDM or configuration management tooling (Jamf, Mosyle, Addigy) legitimately creating or updating emond rule plists as part of corporate macOS fleet management
- macOS developers or system administrators manually editing emond rules during authorized testing or troubleshooting on endpoints with low-risk profiles
- Automated backup or FIM agents copying /etc/emond.d/ contents to a staging location, appearing as file creation events in Chronicle telemetry
Other platforms for T1546.014
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Emond Rule for Startup Persistence
Expected signal: File creation event for /etc/emond.d/rules/argus_test.plist. Process creation for tee writing to the rules directory. On next startup or emond reload, emond spawns the touch command as root — file creation event for /tmp/emond_executed.
- Test 2Verify Emond Service Status
Expected signal: Process creation for launchctl and ls. Read-only — no modifications. Output shows emond service state and all existing rule files.
- Test 3Create Emond Authentication Event Rule
Expected signal: File creation event for /etc/emond.d/rules/argus_auth_test.plist. The authentication event trigger fires on user login, causing emond to spawn the touch command as root.
Unlock Pro Content
Get the full detection package for T1546.014 including response playbook, investigation guide, and atomic red team tests.