Emond - T1519
Definition
Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond
will load any rules from the /etc/emond.d/rules/
directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients
, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist
.
D3FEND Inferred Relationships
There are no digital artifacts defined on this offensive technique (yet). Please consider contributing an addition to D3FEND.