ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1519

术语表: /attack/glossary

Emond

攻击者可以使用事件监视器守护程序(emond)通过安排恶意命令在可预测的事件触发器上运行来建立持久性。Emond是一个启动守护程序(T1160),它接受来自各种服务的事件,通过简单的规则引擎运行它们并采取行动。的emond二进制文件/sbin/emond将加载/etc/emond.d/rules/目录中的所有规则,并在发生明确定义的事件后立即采取措施。规则文件为plist格式,并定义名称,事件类型和要执行的操作。事件类型的一些示例包括系统启动和用户身份验证。操作示例是运行系统命令或发送电子邮件。如果/private/var/db/emondClients在启动守护程序中(T1160)指定的QueueDirectories路径中没有文件,则emond服务将不会启动的配置文件/System/Library/LaunchDaemons/com.apple.emond.plist

攻击者可以通过编写规则来在发生定义的事件(例如系统启动或用户身份验证)时执行命令来滥用此服务。当emond服务由启动守护程序(T1160)服务以root特权执行时,攻击者也可以将特权从管理员升级到root 。

Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a Launch Daemon(T1160) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon(T1160) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon(T1160) service.

标签

ID(标识号): T1519

策略: 持久性,特权升级

平台: macOS

所需权限: 管理员

数据源: 文件监视,API监视

缓解措施

减轻 描述
禁用或删除功能或程序 (M1042) 考虑通过删除启动守护程序(T1160) plist文件来禁用emond 。
Mitigation Description
Disable or Remove Feature or Program (M1042) Consider disabling emond by removing the Launch Daemon(T1160) plist file.

检测

通过检查在/etc/emond.d/rules/和中创建或修改的文件来监视emond规则的创建/private/var/db/emondClients

Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.