System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
Sigma rule (View on GitHub)
1title: System Information Discovery Using System_Profiler
2id: 4809c683-059b-4935-879d-36835986f8cf
3status: test
4description: |
5 Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
6 This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
7references:
8 - https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
9 - https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
10 - https://ss64.com/mac/system_profiler.html
11 - https://objective-see.org/blog/blog_0x62.html
12 - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
13 - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
14author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
15date: 2024-01-02
16tags:
17 - attack.discovery
18 - attack.defense-evasion
19 - attack.t1082
20 - attack.t1497.001
21logsource:
22 product: macos
23 category: process_creation
24detection:
25 selection_img:
26 - Image|endswith: '/system_profiler'
27 - CommandLine|contains: 'system_profiler'
28 selection_cmd:
29 # Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
30 CommandLine|contains:
31 - 'SPApplicationsDataType'
32 - 'SPHardwareDataType'
33 - 'SPNetworkDataType'
34 - 'SPUSBDataType'
35 condition: all of selection_*
36falsepositives:
37 - Legitimate administrative activities
38level: medium
References
-
We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new variant include new behaviour and domain names.
Read More -
system_profiler Report system hardware and software configuration. Syntax system_profiler [-usage] system_profiler [-listDataTypes] system_profiler [-xml] dataType1 ... dataTypeN system_profiler [-...
Read More -
Arm'd & Dangerous malicious code, now native on apple silicon by: Patrick Wardle / February 14, 2021 📝 👾 Want to play along? I’ve uploaded a sample (password: infect3d). ...please don’t infect your...
Read More -
ESET researchers dissect a new version of a previously documented tool deployed by OceanLotus, showing that the group isn't resting on its laurels.
Read More -
Command Output: `system_profiler -listDataTypes`. GitHub Gist: instantly share code, notes, and snippets.
Read More
Related rules
- System Information Discovery Via Sysctl - MacOS
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- PUA - System Informer Execution
- Potential Suspicious Activity Using SeCEdit