<p>Upon reading Mandiant’s <a href="https://www.mandiant.com/resources/blog/north-korea-supply-chain">“North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack”</a>, one of the artifacts that stood out to me was the usage of XProtect’s Behavior Service DB. Until now, I had assumed all XProtect detections were signature based, but it sounds like Apple may be testing some behavioral-based rules to flag suspicious process executions in newer versions of…
Leveraging osquery to examine the XProtect Behavioral Service DB
