
Summary
This detection rule is designed to identify instances of system information discovery on macOS using the 'sw_vers' command. The 'sw_vers' utility provides detailed information about the operating system, including build version, product name, and product version. This rule utilizes process creation logs to detect if the command was executed, particularly looking for instances where the command ends with '/sw_vers'. The rule checks for specific command-line arguments that could indicate an attempt to gather system information, such as '-buildVersion', '-productName', and '-productVersion'. If all selected criteria are met, an alert will be triggered. False positives may occur during legitimate administrative tasks where system information retrieval is necessary.
Categories
- macOS
Data Sources
- Process
Created: 2023-12-20