https://clo.ng/categories/macos/ Recent content in Macos on clo.ng Hugo en-US Thu, 27 Jul 2023 00:00:00 +0000 https://clo.ng/blog/osquery-xpdb/ Thu, 27 Jul 2023 00:00:00 +0000 https://clo.ng/blog/osquery-xpdb/ <p>Upon reading Mandiant&rsquo;s <a href="https://www.mandiant.com/resources/blog/north-korea-supply-chain">&ldquo;North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack&rdquo;</a>, one of the artifacts that stood out to me was the usage of XProtect&rsquo;s Behavior Service DB. Until now, I had assumed all XProtect detections were signature based, but it sounds like Apple may be testing some behavioral-based rules to flag suspicious process executions in newer versions of MacOS.</p> <h1 id="examining-the-db-locally-using-sqlite3">Examining the DB locally using sqlite3</h1> <p>If you&rsquo;d like to take a look at the DB on your own system, you can simply run <code>sudo sqlite3 /var/protected/xprotect/XPdb</code>:</p>