https://clo.ng/categories/osquery/ Recent content in Osquery on clo.ng Hugo en-US Thu, 27 Jul 2023 00:00:00 +0000 https://clo.ng/blog/osquery-xpdb/ Thu, 27 Jul 2023 00:00:00 +0000 https://clo.ng/blog/osquery-xpdb/ <p>Upon reading Mandiant&rsquo;s <a href="https://www.mandiant.com/resources/blog/north-korea-supply-chain">&ldquo;North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack&rdquo;</a>, one of the artifacts that stood out to me was the usage of XProtect&rsquo;s Behavior Service DB. Until now, I had assumed all XProtect detections were signature based, but it sounds like Apple may be testing some behavioral-based rules to flag suspicious process executions in newer versions of MacOS.</p> <h1 id="examining-the-db-locally-using-sqlite3">Examining the DB locally using sqlite3</h1> <p>If you&rsquo;d like to take a look at the DB on your own system, you can simply run <code>sudo sqlite3 /var/protected/xprotect/XPdb</code>:</p> https://clo.ng/blog/osquery_reverse_shell/ Sun, 21 Jan 2018 00:00:00 +0000 https://clo.ng/blog/osquery_reverse_shell/ <h2 id="reverse-shell-detection">Reverse Shell Detection</h2> <p>One challenge when it comes to building defenses for MacOS are the numerous scripting languages that come pre-installed with the operating system. While it may be convenient for developers, it provides attackers with a variety of methods for establishing persistence and bootstrapping connections to command and control servers.</p> <p>Once attackers gain a foothold on systems, they frequently like to gain shell access by launching reverse shells. The benefits of this are well documented <a href="https://andreafortuna.org/cybersecurity/some-thoughts-about-reverse-shells/">here</a>. As you might expect, there are numerous ways to initiate these connections using native utilities such as:</p>