valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
458973af81
SigmaHQ/rules/linux/macos_emond_launch_daemon.yml
Alejandro Ortuno 11df6c2566 Sigma rule
2020-10-23 10:16:59 +02:00

27 lines
920 B
YAML
Raw Blame History

title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: experimental
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
author: Alejandro Ortuno, oscd.community
date: 2020/10/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
logsource:
category: file_event
product: macos
detection:
selection_1:
TargetFilename|contains: '/etc/emond.d/rules/'
TargetFilename|endswith: '.plist'
selection_2:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: selection_1 or selection_2
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.014
Reference in New Issue View Git Blame Copy Permalink