Emond Clients

Overview

Evidence: Emond Clients Description: Collect Emond Clients Category: System Platform: macos Short Name: emnd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Emond (event monitor daemon) can execute client scripts based on rules. This data is essential for detecting persistence via emond client files.

Data Collected

This collector gathers structured data about emond clients.

Emond Clients Data

Field

Description

Example

FileName

File Name

Example value

FullPath

Full Path

Example value

Hash

Hash

Example value

FileSize

File Size

123

Modified

Modified

2023-10-15 14:30:25+03:00

Accessed

Accessed

2023-10-15 14:30:25+03:00

Changed

Changed

2023-10-15 14:30:25+03:00

Collection Method

This collector enumerates /private/var/db/emondClients/ and records file metadata and hashes into emond_clients.

Forensic Value

This evidence is crucial for forensic investigations as emond clients have been used by malware for persistence.

PreviousEdge Web Storage NextEtc Files

Last updated 3 days ago

Was this helpful?