System Extensions State & Inventory

Location

Common Names

Description

macOS System Extensions replace many legacy kernel extensions with user-space endpoint security, network extension, and driver extension components that are managed through the system extension framework and approval workflow.

Forensic Value

System extension inventory helps identify security agents, VPN components, network filters, USB drivers, and potentially malicious persistence components that load outside traditional LaunchAgents and LaunchDaemons. Because many EDR, DLP, and network interception products now rely on Endpoint Security or Network Extension system extensions, reviewing this state is necessary to distinguish legitimate sensors from unauthorized filters or tampered components. Approval status and owning app bundle identifiers also help determine when a component was introduced and whether the user or MDM approved it.

Tools Required

Collection Commands

systemextensionsctl list > /forensics/system_extensions.txt

sudo find /Library/SystemExtensions -maxdepth 3 -print > /forensics/system_extensions_files.txt

sudo cp /Library/SystemExtensions/db.plist /forensics/system_extensions_db.plist 2>/dev/null

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •System extensions are a modern framework and are most relevant on recent macOS releases. Some inventory is easiest to confirm from a live system with systemextensionsctl.

MITRE ATT&CK Techniques

References