System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
Sigma rule (View on GitHub)
1title: System Information Discovery Using System_Profiler
2id: 4809c683-059b-4935-879d-36835986f8cf
3status: test
4description: |
5 Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
6 This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
7references:
8 - https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
9 - https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
10 - https://ss64.com/mac/system_profiler.html
11 - https://objective-see.org/blog/blog_0x62.html
12 - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
13 - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
14author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
15date: 2024-01-02
16tags:
17 - attack.discovery
18 - attack.defense-evasion
19 - attack.t1082
20 - attack.t1497.001
21logsource:
22 product: macos
23 category: process_creation
24detection:
25 selection_img:
26 - Image|endswith: '/system_profiler'
27 - CommandLine|contains: 'system_profiler'
28 selection_cmd:
29 # Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
30 CommandLine|contains:
31 - 'SPApplicationsDataType'
32 - 'SPHardwareDataType'
33 - 'SPNetworkDataType'
34 - 'SPUSBDataType'
35 condition: all of selection_*
36falsepositives:
37 - Legitimate administrative activities
38level: medium
References
Related rules
- System Information Discovery Via Sysctl - MacOS
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Potential Suspicious Activity Using SeCEdit
- System Information Discovery Using Ioreg