ioreg #

Created by Cedric Owens (@cedowens)

Description ##

The I/O Kit registry (ioreg) is a useful binary that can be used to gather data such as detecting if a VM is used, getting USB device vendor names, checking if a screen is locked, etc.

Paths ##

• /usr/sbin/ioreg

Use Cases ##

Use ioreg to check whether the remote macOS screen is locked. ##

The following command will display a list of keys that contain “CGSSession”. If the key “CGSSessionScreenIsLocked” is present, the screen is actively locked.

ioreg -n Root -d1 -a | grep CGSSession

Use ioreg to check whether the host is on a physical machine or a VM ##

Check the output of this command (specifically the IOPlatformSerialNumber, board-id, and manufacturer fields) to check whether or not this host is in a virtual machine.

ioreg -rd1 -c IOPlatformExpertDevice

Use ioreg to check USB device vendor names ##

Grep for “USB Vendor Name” values to view USB vendor names. On virtualized hardware these values may contain the hypervisor name such as “VirtualBox”. This is an additional way to check for virtualization.

ioreg -rd1 -c IOUSBHostDevice

Check all ioreg properties for hypervisor names. ##

Grep for “virtual box”, “oracle”, and “vmware” from the output of the ioreg -l command. This is an additional way to check for virtualization.

ioreg -l

Detections ##

• System Information Discovery Using Ioreg

• Jamf Protect: Ioreg used to detect if the screen is locked

Resources ##

• Evasions: macOS

• SwiftBelt-JXA Situational Awareness Tool