System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
Sigma rule (View on GitHub)
1title: System Information Discovery Using Ioreg
2id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
3status: experimental
4description: |
5 Detects the use of "ioreg" which will show I/O Kit registry information.
6 This process is used for system information discovery.
7 It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
8references:
9 - https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
10 - https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
11 - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
12 - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
13author: Joseliyo Sanchez, @Joseliyo_Jstnk
14date: 2023-12-20
15modified: 2024-01-02
16tags:
17 - attack.discovery
18 - attack.t1082
19logsource:
20 product: macos
21 category: process_creation
22detection:
23 # Examples:
24 # /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
25 # /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
26 # /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
27 # ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
28 selection_img:
29 - Image|endswith: '/ioreg'
30 - CommandLine|contains: 'ioreg'
31 selection_cmd1:
32 CommandLine|contains:
33 - '-l'
34 - '-c'
35 selection_cmd2:
36 CommandLine|contains:
37 - 'AppleAHCIDiskDriver'
38 - 'IOPlatformExpertDevice'
39 - 'Oracle'
40 - 'Parallels'
41 - 'USB Vendor Name'
42 - 'VirtualBox'
43 - 'VMware'
44 condition: all of selection_*
45falsepositives:
46 - Legitimate administrative activities
47level: medium
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing
- HackTool - PCHunter Execution