This detection rule identifies the execution of the `system_profiler` command on macOS when specific data types that are indicative of reconnaissance activities by threat actors are being requested. The rule targets several data types including `SPApplicationsDataType`, `SPHardwareDataType`, `SPNetworkDataType`, and `SPUSBDataType`, which provide insights into the system's hardware and software configuration. Usage of `system_profiler` may signal attempts to gather information about the system, potentially enabling further malicious actions such as identifying vulnerabilities or the presence of virtualization software, which is relevant for evading defense mechanisms. Detection is based on the command line outputs associated with the process creation of `system_profiler`. The rule arises from trends noticed in malware analysis, particularly in connections with the OceanLotus group. The detection of this command's execution under suspicious circumstances warrants closer scrutiny, as it can reveal intentions behind reconnaissance efforts by an attacker. False positives may arise from legitimate administrative use, indicating a need for contextual review.