Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0555: Detection Strategy for Event Triggered Execution via emond on macOS

DET0555 is a MITRE detection strategy object for spotting Event Triggered Execution via emond on macOS, tied to ATT&CK technique T1546.014. The business si...

EnterpriseDET0555Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0555 is a MITRE detection strategy object for spotting Event Triggered Execution via emond on macOS, tied to ATT&CK technique T1546.014. The business significance is persistence and privilege-escalation risk on macOS systems: if emond rules are abused, activity may be triggered by system events rather than obvious user actions, making it easy to miss without endpoint visibility into rule changes and daemon-driven execution.

Executive priority

Treat this as a macOS endpoint resilience and incident-readiness question: do security teams have evidence showing when emond rules are created or changed, and can they explain what /sbin/emond executed afterward? For organizations with material macOS fleets, this supports control prioritization around endpoint telemetry, change monitoring, privileged file-system locations, and audit evidence for persistence detection. Because the supplied ATT&CK object has no official detection text, leaders should ask for local validation rather than assume coverage exists.

Technical view

SOC and detection engineering teams should validate coverage against the related technique T1546.014 Emond, which MITRE maps to persistence and privilege escalation on macOS. Focus on changes to /etc/emond.d/rules/ and activity involving the /sbin/emond binary, especially rule-driven actions following explicitly defined events. Incident responders should be prepared to review emond rule contents, timestamps, ownership, and any child or follow-on execution associated with emond. Detection logic should be tested in the local macOS environment because the detection strategy object itself does not provide official analytics, platforms, or detection procedures.

Likely telemetry

  • macOS endpoint process execution telemetry involving /sbin/emond
  • File creation, modification, deletion, ownership, and permission changes under /etc/emond.d/rules/
  • Endpoint file integrity or configuration monitoring for emond rule locations
  • Parent-child or causality telemetry showing actions launched by emond
  • Host timeline evidence for rule changes correlated with subsequent event-triggered execution

Detection direction

  • Confirm whether endpoint sensors collect both file-change telemetry for /etc/emond.d/rules/ and process execution context for /sbin/emond.
  • Baseline legitimate emond rule files and expected administrative changes to reduce false positives from authorized configuration activity.
  • Correlate new or modified emond rules with later daemon-triggered actions rather than relying only on one event type.
  • Validate macOS coverage specifically through the related technique context, since the detection strategy object lists no platform of its own.
  • Document blind spots where file monitoring, process lineage, or privileged path visibility is missing.

Mitigation priorities

  • Prioritize visibility first: ensure macOS endpoints report file changes in emond rule directories and execution context for daemon-driven activity.
  • Restrict and review administrative access capable of modifying emond rules and related privileged locations.
  • Maintain a known-good baseline of emond rule files for managed macOS systems and investigate unexpected drift.
  • Include emond rule review in macOS persistence checks during incident response.
  • Use validation results as evidence for compliance, audit, and resilience reporting where macOS endpoint persistence monitoring is in scope.
Analyst notes and limits

This take is based on the DET0555 detection strategy metadata and its relationship to ATT&CK technique T1546.014 Emond. The source object does not include an official description or detection field, so the practical guidance is intentionally framed as validation direction derived from the related technique’s supplied description, tactics, platform, and paths.

The detection strategy object has no official detection logic, no official description, and no platforms or tactics directly specified. Any assessment of actual coverage, alert quality, or exposure requires local telemetry, macOS fleet scope, and control configuration evidence.

Official MITRE ATT&CK definition

Detection Strategy for Event Triggered Execution via emond on macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546.014 Emond Sub-technique This object detects Emond.
Relationship explorer

All related ATT&CK context

detects · Technique T1546.014: Emond Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d5f1542dbdf59343...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d5f1542dbdf5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0555
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use