Emond Clients
Overview
Section titled “Overview”Evidence: Emond Clients
Description: Collect Emond Clients
Category: System
Platform: macos
Short Name: emnd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Emond (event monitor daemon) can execute client scripts based on rules. This data is essential for detecting persistence via emond client files.
Data Collected
Section titled “Data Collected”This collector gathers structured data about emond clients.
Emond Clients Data
Section titled “Emond Clients Data”| Field | Description | Example |
|---|---|---|
FileName | File Name | Example value |
FullPath | Full Path | Example value |
Hash | Hash | Example value |
FileSize | File Size | 123 |
Modified | Modified | 2023-10-15 14:30:25+03:00 |
Accessed | Accessed | 2023-10-15 14:30:25+03:00 |
Changed | Changed | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector enumerates /private/var/db/emondClients/ and records file metadata and hashes into emond_clients.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as emond clients have been used by malware for persistence.