Which SIEM platforms have a T1546.014 detection rule?

df00tech provides T1546.014 (Emond) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Emond (T1546.014)?

Detecting Emond requires the following data sources: File: File Creation, File: File Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1546.014 detection?

The T1546.014 detection is rated high severity with high confidence.

What are common false positives for T1546.014?

Common false positives for T1546.014 include: macOS system software updates that modify or add emond rule files as part of OS configuration; Enterprise macOS management tools (Jamf Pro, Munki) that deploy emond rules as part of system configuration management; Security monitoring products that use emond for system event monitoring on macOS.

T1546.014 Elastic Security · Elastic

Detect Emond in Elastic Security

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon on macOS that accepts events from various services, runs them through a simple rule engine, and takes action. The emond rules files are stored at /etc/emond.d/rules/ and rules are defined in plist format. Adversaries can write malicious event rules to these files to execute arbitrary code when a matching event occurs. Emond runs as root — any process or command triggered by an emond rule executes with root privileges, making this both a persistence and privilege escalation technique.

MITRE ATT&CK

Tactic: Privilege Escalation Persistence
Technique: T1546 Event Triggered Execution
Sub-technique: T1546.014 Emond
Canonical reference: https://attack.mitre.org/techniques/T1546/014/

Elastic Detection Query

Elastic Security (Elastic)

eql

file where host.os.type == "macos" and
  event.type in ("creation", "change") and
  (
    file.path like "/etc/emond.d/rules/*" or
    file.path like "/etc/emond.d/*" or
    (file.extension == "plist" and file.path like "*emond*")
  )

high severity high confidence

Detects file creation or modification events targeting the macOS Event Monitor Daemon (emond) rules directory /etc/emond.d/rules/ or any plist file associated with emond. Adversaries write malicious plist-based rules to this directory to achieve persistence and privilege escalation, as emond executes all triggered rule actions as root.

Data Sources

Elastic EndpointAuditbeat (file integrity module)

Required Tables

logs-endpoint.events.file-*auditbeat-*

False Positives & Tuning

macOS system updates or Apple software components legitimately modifying emond rule files during OS patching or configuration management
MDM/EMM solutions such as Jamf or Mosyle pushing endpoint configuration policies that write to /etc/emond.d/ as part of sanctioned device management
Security software or FIM agents inspecting or backing up emond rule files during scheduled compliance scans

Download portable Sigma rule (.yml)

Other platforms for T1546.014

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Create Malicious Emond Rule for Startup Persistence
Expected signal: File creation event for /etc/emond.d/rules/argus_test.plist. Process creation for tee writing to the rules directory. On next startup or emond reload, emond spawns the touch command as root — file creation event for /tmp/emond_executed.
Test 2Verify Emond Service Status
Expected signal: Process creation for launchctl and ls. Read-only — no modifications. Output shows emond service state and all existing rule files.
Test 3Create Emond Authentication Event Rule
Expected signal: File creation event for /etc/emond.d/rules/argus_auth_test.plist. The authentication event trigger fires on user login, causing emond to spawn the touch command as root.

Last updated: 2026-04-20 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Emond in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1546.014

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1546.014

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox