System Information Discovery Using Ioreg

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Sigma rule (View on GitHub)

 1title: System Information Discovery Using Ioreg
 2id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
 3status: experimental
 4description: |
 5    Detects the use of "ioreg" which will show I/O Kit registry information.
 6    This process is used for system information discovery.
 7    It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.    
 8references:
 9    - https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
10    - https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
11    - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
12    - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
13author: Joseliyo Sanchez, @Joseliyo_Jstnk
14date: 2023-12-20
15modified: 2024-01-02
16tags:
17    - attack.discovery
18    - attack.t1082
19logsource:
20    product: macos
21    category: process_creation
22detection:
23    # Examples:
24    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
25    #   /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
26    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
27    #   ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
28    selection_img:
29        - Image|endswith: '/ioreg'
30        - CommandLine|contains: 'ioreg'
31    selection_cmd1:
32        CommandLine|contains:
33            - '-l'
34            - '-c'
35    selection_cmd2:
36        CommandLine|contains:
37            - 'AppleAHCIDiskDriver'
38            - 'IOPlatformExpertDevice'
39            - 'Oracle'
40            - 'Parallels'
41            - 'USB Vendor Name'
42            - 'VirtualBox'
43            - 'VMware'
44    condition: all of selection_*
45falsepositives:
46    - Legitimate administrative activities
47level: medium

References

Related rules

to-top