This detection rule is designed to identify the use of the macOS command-line utility `sw_vers`, which displays the version, build number, and computer name of the operating system. Threat actors may exploit this command to fingerprint a macOS system for identifying specific OS vulnerabilities. The rule captures instances where `sw_vers` is executed to query for system version, build, or product information, which could signify a preliminary reconnaissance stage before executing further exploits. The detection leverages EDR logs to monitor any execution of `sw_vers` and filters for relevant system calls that indicate an attempt at system information discovery. By activating this rule, organizations can enhance their defensive posture against malware and threat actors targeting macOS endpoints, thereby facilitating a quicker incident response to such reconnaissance activities. This detection is especially pertinent given the increasing targeting of macOS systems in the threat landscape, emphasizing the need for granular visibility of endpoint behavior.