Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

System Information Discovery Using Ioreg

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

System Information Discovery Using Ioreg

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
    Detects the use of "ioreg" which will show I/O Kit registry information.
    This process is used for system information discovery.
    It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
    - https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
    - https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
    - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
    - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: macos
    category: process_creation
detection:
    # Examples:
    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
    #   /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
    #   ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
    selection_img:
        - Image|endswith: '/ioreg'
        - CommandLine|contains: 'ioreg'
    selection_cmd1:
        CommandLine|contains:
            - '-l'
            - '-c'
    selection_cmd2:
        CommandLine|contains:
            - 'AppleAHCIDiskDriver'
            - 'IOPlatformExpertDevice'
            - 'Oracle'
            - 'Parallels'
            - 'USB Vendor Name'
            - 'VirtualBox'
            - 'VMware'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml