<p>Upon reading Mandiant’s <a href="https://www.mandiant.com/resources/blog/north-korea-supply-chain">“North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack”</a>, one of the artifacts that stood out to me was the usage of XProtect’s Behavior Service DB. Until now, I had assumed all XProtect detections were signature based, but it sounds like Apple may be testing some behavioral-based rules to flag suspicious process executions in newer versions of…
<p>On Dec 11, 2017, I published the initial release of DetectionLab. I never expected the project to garner the attention that it did, and I couldn’t be more thankful for all of the positive experiences that came about from building it. However, after nearly 6 years of actively maintaining, expanding, and improving the project, I think it’s finally time to call it a day on DetectionLab development.</p>
<p>Over the past few years, I’ve occasionally needed to do some quick forensics on Linux hosts. Each time I do, I find myself stitching together 5-10 different pages of content to pull together the information I need to grab the disk and memory collections.</p>
