Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1534: Analytic 1534

Detection focuses on identifying unauthorized file creation or modification within `/etc/emond.d/rules/` or `/private/var/db/emondClients`, which indicate attempts to register a malicious emond rule. Correlate with process execution of `/sbin/emond` and any launched commands it invokes, especially during boot or login events. Anomalies may include rules created by non-root users or unexpected shell commands executed by emond.

EnterpriseAN1534AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting unauthorized macOS changes that could register an emond rule, a mechanism that can cause commands to run around boot or login activity. For security leaders, the value is confirming that Mac endpoints are not a persistence blind spot: if these paths are not monitored, an incident team may miss evidence of unwanted automated execution even when broader endpoint logging appears healthy.

Executive priority

Prioritize this where macOS systems support sensitive users, administrators, developers, or business-critical workflows. The decision question is whether endpoint monitoring and incident response playbooks can prove who created or modified emond rule locations, whether the change was authorized, and what commands emond launched afterward. This also supports audit and compliance evidence for endpoint change monitoring and privileged activity review on macOS.

Technical view

Validate monitoring for unauthorized file creation or modification in `/etc/emond.d/rules/` and `/private/var/db/emondClients` on macOS. Correlate those changes with execution of `/sbin/emond` and child or invoked commands, especially near boot or login events. Investigate rules created by non-root users and unexpected shell command execution by emond. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused detection analytic rather than a complete technique-level coverage statement.

Likely telemetry

  • macOS file creation and modification events for `/etc/emond.d/rules/`
  • macOS file creation and modification events for `/private/var/db/emondClients`
  • process execution telemetry for `/sbin/emond`
  • parent-child or launched-command telemetry for commands invoked by emond
  • user/account context for file changes, including whether the actor was root or non-root

Detection direction

  • Confirm endpoint tooling records file writes to both specified macOS paths, not only generic process execution.
  • Tune alerts for unauthorized or unusual rule creation/modification, with special attention to changes by non-root users.
  • Correlate path changes with `/sbin/emond` execution and any commands launched by emond to distinguish benign configuration activity from suspicious automation.
  • Review false positives from legitimate administrative configuration management or approved macOS maintenance activity.
  • Check for blind spots around boot/login-time execution, because delayed or sparse telemetry can make the file change and resulting command execution appear unrelated.

Mitigation priorities

  • Establish an approved baseline for legitimate emond-related files and owners on managed macOS systems.
  • Restrict and review write access to the specified rule and client locations using standard macOS administrative controls.
  • Ensure macOS endpoint logging, EDR, or managed detection coverage includes the specified paths and process relationships.
  • Add incident response triage steps to collect the modified rule files, user context, `/sbin/emond` execution history, and invoked command details.
  • Use change management or compliance evidence to distinguish expected administrative changes from unauthorized persistence-like behavior.
Analyst notes and limits

The supplied object is a detection analytic for macOS focused on emond rule registration indicators. It provides concrete paths, process context, and suspicious conditions but no tactic mapping, related techniques, campaigns, software, or mitigations. Local baselining is important because legitimate administrative activity may touch these areas.

Official detection content is not provided beyond the description, and no relationships are supplied. This take does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Validation requires environment-specific telemetry and knowledge of approved macOS administration practices.

Official MITRE ATT&CK definition

Analytic 1534

Detection focuses on identifying unauthorized file creation or modification within `/etc/emond.d/rules/` or `/private/var/db/emondClients`, which indicate attempts to register a malicious emond rule. Correlate with process execution of `/sbin/emond` and any launched commands it invokes, especially during boot or login events. Anomalies may include rules created by non-root users or unexpected shell commands executed by emond.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9dd08026ccfa9f88...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9dd08026ccfa…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1534
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use