System Extension Info
Overview
Section titled “Overview”Evidence: System Extension Info
Description: Collect system extension info
Category: System
Platform: macos
Short Name: sysext
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”System Extensions replaced kernel extensions starting with macOS 10.15 to provide safer extensibility with reduced kernel access. These extensions run in user space and provide functionality like network filtering, endpoint security, and file system monitoring. Understanding installed system extensions is crucial for detecting unauthorized monitoring tools, security product tampering, and malicious extensions.
Data Collected
Section titled “Data Collected”This collector gathers structured data about system extension info.
System Extension Info Data
Section titled “System Extension Info Data”| Field | Description | Example |
|---|---|---|
UUID | UUID | Example value |
Path | Path | Example value |
BundlePath | Bundle Path | Example value |
State | State | Example value |
BundleID | Bundle ID | Example value |
Version | Version | Example value |
Category | Category | Example value |
TeamId | Team Id | Example value |
MDMManaged | MDM Managed | 123 |
Collection Method
Section titled “Collection Method”This collector queries the system_extensions table via osquery to retrieve information about all registered system extensions, including their bundle IDs, paths, versions, categories, team IDs, and MDM management status.
Forensic Value
Section titled “Forensic Value”System extension information reveals security monitoring capabilities and potential surveillance tools. Unauthorized or malicious extensions may indicate persistence mechanisms, data exfiltration tools, or attacker-deployed monitoring software. This evidence helps identify security product tampering, unauthorized access to system resources, and extension-based persistence.