title: Emond (T1546.014)
id: df00tech-t1546-014
status: experimental
description: "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon on macOS that accepts events from various services, runs them through a simple rule engine, and takes action. The emond rules files are stored at /etc/emond.d/rules/ and rules are defined in plist format. Adversaries can write malicious event rules to these files to execute arbitrary code when a matching event occurs. Emond runs as root — any process or command triggered by an emond rule executes with root privileges, making this both a persistence and privilege escalation technique."
references:
  - https://attack.mitre.org/techniques/T1546/014/
  - https://df00tech.com/detections/T1546.014
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - macOS system software updates that modify or add emond rule files as part of OS configuration
  - "Enterprise macOS management tools (Jamf Pro, Munki) that deploy emond rules as part of system configuration management"
  - Security monitoring products that use emond for system event monitoring on macOS
  - Legitimate IT operations that create emond rules for custom alerting or automation workflows
level: high