System Extension Info
Overview
Evidence: System Extension Info Description: Collect system extension info Category: System Platform: macos Short Name: sysext Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
System Extensions replaced kernel extensions starting with macOS 10.15 to provide safer extensibility with reduced kernel access. These extensions run in user space and provide functionality like network filtering, endpoint security, and file system monitoring. Understanding installed system extensions is crucial for detecting unauthorized monitoring tools, security product tampering, and malicious extensions.
Data Collected
This collector gathers structured data about system extension info.
System Extension Info Data
UUID
UUID
Example value
Path
Path
Example value
BundlePath
Bundle Path
Example value
State
State
Example value
BundleID
Bundle ID
Example value
Version
Version
Example value
Category
Category
Example value
TeamId
Team Id
Example value
MDMManaged
MDM Managed
123
Collection Method
This collector queries the system_extensions table via osquery to retrieve information about all registered system extensions, including their bundle IDs, paths, versions, categories, team IDs, and MDM management status.
Forensic Value
System extension information reveals security monitoring capabilities and potential surveillance tools. Unauthorized or malicious extensions may indicate persistence mechanisms, data exfiltration tools, or attacker-deployed monitoring software. This evidence helps identify security product tampering, unauthorized access to system resources, and extension-based persistence.
Last updated
Was this helpful?