This detection rule identifies the use of the "ioreg" command on macOS systems, which retrieves I/O Kit registry information to facilitate system information discovery. The command is frequently utilized in malicious activities for reconnaissance purposes, where attackers may invoke it directly or use shell commands alongside 'grep' to filter output for specific strings of interest. The rule captures instances of 'ioreg' usage, particularly when it is called with certain arguments or when it is part of broader command lines that include related components like disk drivers or virtualization platforms. It has been observed in real-world attacks leveraging this technique as part of information-harvesting behaviors. The alert is triggered when either the ioreg command is executed or its output is filtered for sensitive information within the command line arguments.