System Information Discovery Using System_Profiler

calendar Jan 10, 2024 · attack.discovery attack.defense_evasion attack.t1082 attack.t1497.001  ·
Share on: linkedin copy

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Sigma rule (View on GitHub)

 1title: System Information Discovery Using System_Profiler
 2id: 4809c683-059b-4935-879d-36835986f8cf
 3status: experimental
 4description: |
 5    Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
 6    This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.    
 7references:
 8    - https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
 9    - https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
10    - https://ss64.com/mac/system_profiler.html
11    - https://objective-see.org/blog/blog_0x62.html
12    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
13    - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
14author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
15date: 2024/01/02
16tags:
17    - attack.discovery
18    - attack.defense_evasion
19    - attack.t1082
20    - attack.t1497.001
21logsource:
22    product: macos
23    category: process_creation
24detection:
25    selection_img:
26        - Image|endswith: '/system_profiler'
27        - CommandLine|contains: 'system_profiler'
28    selection_cmd:
29        # Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
30        CommandLine|contains:
31            - 'SPApplicationsDataType'
32            - 'SPHardwareDataType'
33            - 'SPNetworkDataType'
34            - 'SPUSBDataType'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate administrative activities
38level: medium

References

  • New MacOS Backdoor Connected to OceanLotus Surfaces

    We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new variant include new behaviour and domain names.


    Read More

  • %PDF-1.4 %Óëéá 1 0 obj endobj 3 0 obj endobj 4 0 obj stream xœíÁ  ÷Om7 þ zî endstream endobj 5 0 obj stream xœì�‡šëF®n•s&=öøxì±Çî÷ÄC• •˜Dõ&¾ƽ»%J\¬B?€Åb[WuýZòÒo°õ­®Ëw_…²Õóï¯_÷ハÞly¯ëúðî«...


    Read More

  • system_profiler Man Page - macOS - SS64.com

    system_profiler Report system hardware and software configuration. Syntax system_profiler [-usage] system_profiler [-listDataTypes] system_profiler [-xml] dataType1 ... dataTypeN system_profiler [-...


    Read More

  • Arm'd & Dangerous

    Arm'd & Dangerous malicious code, now native on apple silicon by: Patrick Wardle / February 14, 2021 📝 👾 Want to play along? I’ve uploaded a sample (password: infect3d). ...please don’t infect your...


    Read More

  • OceanLotus: macOS malware update

    ESET researchers dissect a new version of a previously documented tool deployed by OceanLotus, showing that the group isn't resting on its laurels.


    Read More

  • Command Output: `system_profiler -listDataTypes`

    Command Output: `system_profiler -listDataTypes`. GitHub Gist: instantly share code, notes, and snippets.


    Read More

Related rules

to-top