Esc

Emond - T1546.014

(ATT&CK® Technique)

Definition

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1546014["Emond"] --> |modifies| ConfigurationResource["Configuration Resource"]; class T1546014 OffensiveTechniqueNode;
        class ConfigurationResource ArtifactNode; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource";
        click T1546014 href "/offensive-technique/attack/T1546.014/"; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; T1546014["Emond"] --> |may-create| PropertyListFile["Property List File"]; class T1546014 OffensiveTechniqueNode;
        class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
        click T1546014 href "/offensive-technique/attack/T1546.014/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546014["Emond"] --> |may-modify| PropertyListFile["Property List File"]; class T1546014 OffensiveTechniqueNode;
        class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
        click T1546014 href "/offensive-technique/attack/T1546.014/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";                                       FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | PropertyListFile["Property List File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1546014["Emond"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                            FileEviction["File Eviction"] -->
          | deletes | PropertyListFile["Property List File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1546014["Emond"] ;
          class FileEviction DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                            DecoyFile["Decoy File"] -->
          | spoofs | PropertyListFile["Property List File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1546014["Emond"] ;
          class DecoyFile DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                            FileEncryption["File Encryption"] -->
          | encrypts | PropertyListFile["Property List File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1546014["Emond"] ;
          class FileEncryption DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";  LocalFilePermissions["Local File Permissions"] -->
          | restricts | PropertyListFile["Property List File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-harden | T1546014["Emond"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                                      RestoreConfiguration["Restore Configuration"] -->
          | restores | ConfigurationResource["Configuration Resource"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1546014["Emond"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class ConfigurationResource ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
          | restores | PropertyListFile["Property List File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1546014["Emond"] ;
          class RestoreFile DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";  FileAnalysis["File Analysis"] -->
          | analyzes | PropertyListFile["Property List File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1546014["Emond"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class PropertyListFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json