Enhanced Network Visibility: Falcon macOS Sensor Updates BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial March 11, 2026 Ash Leslie - Colton Terrace - Chris Kent The much-anticipated Enhanced Network Visibility feature for macOS is now generally available in sensor version 7.29 or later.
This new capability provides insight and improved visibility into network traffic occurring on macOS endpoints, creating a more sophisticated and comprehensive model of process behavior. In this blog, we provide an in-depth overview of this new capability. We showcase detection enablement and numerous threat hunting applications, now enabled by Enhanced Network Visibility for macOS, and dive into new network capabilities built to empower threat hunters and detection teams against threat actor activity.
What Is Enhanced Network Visibility? Enhanced network visibility supplements process activity monitoring with attributes derived from the contents of network traffic. Moving beyond basic network address and port data, this enhanced monitoring identifies specific application protocols, analyzes TLS (encrypted) traffic characteristics, and examines plaintext HTTP traffic attributes, further enriching the robust data set the Falcon sensor provides.
This capability leverages the latest Apple-native content filter APIs to enable enhanced network visibility with the least possible impact on network performance. The content filter API allows the sensor to intercept the least amount of data possible, allowing data for a network flow to bypass interception completely once the traffic has been identified. This targeted approach offers significant efficiency advantages over packet-based inspection methods, minimizing system impact while maximizing detection capabilities, all the while being an opt-in feature, allowing customers the choice to enable within their environments One of the new exciting features is the integration of JA4 fingerprinting (ref: https://foxio.io/ ).
JA4 provides a summarized representation, or “signature,” of the capabilities and configuration of a specific TLS client library. This signature is derived from the TLS "client hello" packet, the first step in establishing a secure connection. JA4 can be used to differentiate between otherwise indistinguishable TLS connections, and can provide evidence of proxying, if a single process exhibits several unique signatures.
JA4 was designed by FoxIO to replace JA3, which is not compatible with the TLS client extension randomized reordering employed by modern browsers and bots. Supported Protocols At launch, Enhanced Network Visibility will support parsing of plaintext HTTP requests and responses and TLS client hello packets. Additionally, the feature will identify the use of HTTP, TLS, SOCKS4/5, Wireguard, SSH, SMB, VNC, ARD, and DNS on any network port, emitting an AppProtocolDetected event when a process makes use of one of these protocols.
Proxy visibility is also supported. Protocol AppProtocol Value Capability Description HTTP 1.x 110 Identify & Inspect Plaintext HTTP requests and responses TLS 102 Identify & Inspect TLS client hello (client session establishment) SOCKS4 SOCKS5 104 Identify & Inspect Traffic encapsulated within a SOCKS4 or SOCKS5 proxy is supported transparently Wireguard 105 Identify Wireguard VPN SSH 108 Identify Secure shell SMB 112 Identify File sharing VNC, ARD 107 Identify Apple Remote Desktop (ARD) or VNC screen sharing QUIC 103 Identify IETF QUIC (and HTTP/3) traffic.
Encrypted, but can process the embedded TLS client hello. DNS 100 Identify & Inspect Domain Name System New CrowdStrike Falcon Next-Gen SIEM Events #event_simpleName=HttpRequest This event contains the request type, URL, headers, and body of a plaintext HTTP request. New interesting key/value pairs for this event are outlined below: #event_simpleName=HttpResponse This event contains the response code and headers of a plaintext HTTP response.
New interesting key/value pairs for this event are outlined below: #event_simpleName=TlsClientHello This event contains information derived from the client side of a TLS client connection establishment, including the server name indication value (SNI), next protocol (ALPN), and the JA3 and JA4 client fingerprints . New interesting key/value pairs for this event are outlined below: #event_simpleName=AppProtocolDetected This event contains the network protocol in use that has been identified.
It supplements host/port information provided by existing network-based telemetry, including NetworkConnect, NetworkAccept, etc. New interesting key/value pairs for this event are outlined below: How to Enable macOS Enhanced Network Visibility To enable this feature, navigate to the Mac Prevention Policies and configure an existing policy, or create a new policy, with the “Enhanced Network Visibility” toggle enabled ([ US-1 ] [ US-2 ] [ EU ]).
Figure 1. Enhanced Network Visibility toggle Threat Hunting Examples Threat hunting is by nature designed to surface activity that is interesting or suspicious, and with further refinement can lead to the creation of detections to alert on the activity if observed again. CrowdStrike Falcon® Next-Gen SIEM provides this capability via an easy single-click button that guides the user through the conversion of the Falcon Next-Gen SIEM search query into a Falcon Next-Gen SIEM detection rule.
Figure 2. Create rule single-click functionality The following Falcon Next-Gen SIEM Advanced Event Search queries are provided to empower customers to hunt for abnormal activity and create detections relevant to their threat models. Please note, in the following searches, the generated “GraphExplorer” URL is for US-1 customers. For US-2 and EU-based customers, please modify the URL to be “ https://falcon.us-2.crowdstrike.com ” and “ https://falcon.eu-1.crowdstrike.com ” as required.
Hunting for ClickFix and Abnormal LOLBIN Activity Let's take a look at a recently reported ClickFix sample . What we see here is a common methodology to lure victims into downloading malicious payloads. Figure 3. ClickFix social engineering example First, the user is socially engineered into copying and executing a malicious shell script into the terminal. This shell script reaches out to a URL and pipes the contents straight into another shell.
The second shell script, once passed through some decoding routines, executes malicious instructions telling Curl to reach out to another URL (which contains malicious AppleScript) and pass the contents straight into Osascript for further execution. If allowed to continue this far, the AppleScript undertakes relatively standard host reconnaissance, resulting in downloading and executing an infostealer MachO binary.
Common HTTP URL Structure First, we can hunt for the common URL and HttpPath structure that is observed in the various HTTP requests during the delivery of the shell scripts and AppleScript payloads. #event_simpleName="HttpRequest" event_platform=Mac HttpPath=/(?:build|dynamic\?)txd\=/i | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) We can also hunt for the UserAgent string “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36” observed by Curl in this attack chain. #event_simpleName="HttpRequest" event_platform=Mac ImageFileName=/curl/ HttpUserAgent=/AppleWebKit\/537\.36/ | table([@timestamp, aid, GraphExplorer, HttpUserAgent, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) LOLBIN Activity Chain A commonly observed pattern of activity with the “ClickFix” style of social engineering and InfoStealer delivery is the pattern of using living off the land binaries (LOLBINs) to undertake the downloading of binaries (via curl), removing the quarantine attribute (via xattr) and setting the binary as executable (via chmod).
We can hunt for this sequence within Falcon Next-Gen SIEM using a combination of the newly provided network telemetry, as well as existing process-related data, using the former to enrich the latter. Using the Falcon LogScale function “ correlate ” allows us to define a set of requirements (similar to subsearches), which we can use to identify the usage of the common LOLBINs and suspicious network traffic within a set time frame across a single endpoint — providing us with a curated data set of possible attacker activity that may indicate malicious payloads arriving in our environments. event_platform=Mac | correlate( Macho_Written: { #event_simpleName="MachOFileWritten" } include: [ContextBaseFileName, TargetFileName, ContextProcessId, GraphExplorer], Curl_HttpRequest: { #event_simpleName=HttpRequest FileName=curl } include: [ImageFileName, CommandLine, HttpHost, HttpPath, ContextProcessId, GraphExplorer], Remove_Quarantine: { #event_simpleName=ProcessRollup2 FileName=xattr } include: [FileName, CommandLine, TargetProcessId, GraphExplorer], Add_chmod: { #event_simpleName=ProcessRollup2 FileName=chmod globalConstraints=[aid], sequence=false, within=1m Hunting for Adload A common methodology employed by Adload adware/malware is the usage of Go UserAgents in its HTTP traffic.
We can hunt for this behavior in conjunction with other attributes such as unsigned or adhoc signed binaries, and process execution from commonly abused file paths such as /tmp/. For this search, we can use a simple join function to correlate the HttpRequest data with the process data (i.e., ProcessRollup2 event). #event_simpleName=ProcessRollup2 TeamId="-" ImageFileName=/\/tmp\// | join({event_platform=Mac #event_simpleName=HttpRequest HttpUserAgent="Go-http-client/1.1"}, field=TargetProcessId, key=ContextProcessId, include=[HttpRequestHeader, HttpMethod, HttpRequestHeader, HttpHost, HttpPath, HttpBodyAsString], limit=20000) | groupBy([aid, GraphExplorer, ImageFileName, CommandLine, HttpHost, HttpPath]) Hunting Use of Clawdbot/OpenClaw via Network Traffic Let's look at a more topical concern impacting customer environments, the usage (authorized or not) of AI assistant tools such as Clawdbot/OpenClaw, and how we can identify use within our environments via network traffic.
HTTP Traffic to Controller Interface Default usage of Clawdbot/OpenClaw will configure the controller to run on port 18789, with access normally provided via the browser and HttpRequests to the service running locally, hosted within a container or configured on a remote host. event_platform=Mac #event_simpleName=HttpRequest RemotePort=18789 HttpPath=/(?:openclaw|moltbot|clawdbot)/ Hunting Common C2 Frameworks Mythic is a widely popular and versatile red teaming framework built for macOS operations.
Common Mythic Agents including Apfell, Poseidon, Merlin, and others can be built to natively execute on macOS devices, but when deployed in their default and commonly observed configurations, they are highly targetable using network telemetry and process behaviors. Default Usage of HTTP C2 Profile Most Mythic Agents can be configured to utilize the HTTP C2 profile, which makes it a popular and easy choice for red teamers and penetration testers.
When configured to not use TLS connections (which requires certificates to be generated) and with standard/default HTTP parameters including UserAgent, URI paths, etc., the HTTP C2 profile usage can be easily hunted against. #event_simpleName="HttpRequest" event_platform=Mac | base64Decode("HttpBodyAsString", as="DecodedBody") | regex(field=DecodedBody, "(?<guid>.+?){(?<json_payload>.+?)}") | regex(field=json_payload, regex="action\":\"(?<action>.+?)\"") | groupBy([aid, ContextProcessId, FileName, GraphExplorer], function=collect([action, json_payload],separator=",")) Default JA4 Fingerprints for Mythic and Sliver Certain Mythic Agents, again configured with default options, generate unique and “huntable” JA4 fingerprints.
This is also seen with default-generated Sliver C2 framework agents. A public collection of JA4 fingerprints mapped against process names is available at https://ja4db.com/ . This data provides a wealth of information to begin hunting processes and build out additional hunting hypotheses. #event_simpleName=TlsClientHello event_platform=Mac | TlsClientFingerprintJa4=t13d190900_9dc949149365_97f8aa674fd9 OR TlsClientFingerprintJa4=t13d0511h1_1adb828df2d1_e7c285222651 Hunting for Abnormal SNI Values The Server Name Indication (SNI) value serves a valuable purpose during the TLS handshake, and it can also be leveraged to identify abnormal activity occurring on hosts, including data exfiltration.
Let's look for a TlsClientHello event containing a TlsServerName (i.e., SNI) value that doesn’t look like a standard domain name/URL. We can then map that back to process data. defineTable( query={event_platform=Mac #event_simpleName=TlsClientHello TlsServerName!=/\./ TlsServerName=* | groupBy(aid, ImageFileName, ContextProcessId, TlsServerName, TlsClientFingerprintJa4)}, name="abnormal_SNI", start=7d, include=*) | event_platform=Mac #event_simpleName="ProcessRollup2" | match(file="abnormal_SNI", field="TargetProcessId", column="ContextProcessId") | table([@timestamp, aid, GraphExplorer, TlsServerName, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) Hunting for Application Tunnelling Application tunnelling is an advanced technique utilized by threat actors and red teamers alike.
The technique allows encapsulating network traffic inside other legitimate and allowed protocols, blending in with other applications on the endpoint, bypassing network layer defenses, and providing an ingress point into environments. We can hunt for this in a number of different ways. Multiple Unique JA4 Fingerprints The following threat hunt focuses on identifying a single process generating multiple and distinct JA4 fingerprints.
While not unusual for a process to be observed with multiple fingerprints (e.g., when negotiating a TLS connection to a server, the request can be upgraded or downgraded based on available TLS versions/ciphers, which in turn generate multiple JA4 fingerprints), the hunt is focused on the distinctness of the middle and last blocks found in the JA4 fingerprint when compared to each other. When reviewed in the context of what those blocks represent, it indicates the likelihood that another application's network traffic is potentially being tunneled through this process. query={ #event_simpleName=TlsClientHello event_platform=Mac | splitString(by="\_", as=JA4Blocks, field=TlsClientFingerprintJa4) | groupBy([aid, ContextProcessId, ImageFileName], function=[count(field=JA4Blocks[1], as=countBlock1, distinct=true), count(field=JA4Blocks[2], as=countBlock2, distinct=true), collect(TlsClientFingerprintJa4), collect(JA4Blocks[0]), collect(JA4Blocks[1]), collect(JA4Blocks[2])]) | countBlock1 > 1 | countBlock2 > 1 | groupBy([aid, ContextProcessId, ImageFileName, CommandLine, TlsClientFingerprintJa4, JA4Blocks[0], JA4Blocks[1], JA4Blocks[2]]) }, name="multiple_ja4hahes", start=7d, include=*) | event_platform=Mac #event_simpleName="ProcessRollup2" TeamId="-" | NOT in(field="ImageFileName", values=["/System/*", "/usr/*"]) | match(file="multiple_ja4hahes", field="TargetProcessId", column="ContextProcessId") | table([@timestamp, aid, GraphExplorer, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) ImageFileName has been filtered to exclude the /System/ and /usr/ directories, but this will likely need to be expanded once a general search has identified “known good processes or execution paths” for processes and applications such as proxies and VPNs.
Playing around with what JA4 blocks are distinct will produce different results and further hunting opportunities. Multiple AppProtocol Events on a Single Process This next hunt looks for similar activity but takes a different approach via usage of AppProtocolDetected events. We are hunting for a single process observed generating network traffic matching different supported protocols. This could be a single process generating SSH and HTTP traffic, which in most cases is abnormal outside the scope of expected application families such as VPNs and proxies.
This abnormality could be an indication that the process is tunneling network traffic and acting as an ingress point into your environment. query={ #event_simpleName=AppProtocolDetected event_platform=Mac | case{ "AppProtocol"="0" | AppProtocolReadable:="UNSUPPORTED"; "AppProtocol"="100" | AppProtocolReadable:="DNS"; "AppProtocol"="102" | AppProtocolReadable:="TLS"; "AppProtocol"="103" | AppProtocolReadable:="QUIC"; "AppProtocol"="104" | AppProtocolReadable:="SOCKS4/5"; "AppProtocol"="105" | AppProtocolReadable:="WIREGUARD"; "AppProtocol"="107" | AppProtocolReadable:="VNC/ARD"; "AppProtocol"="108" | AppProtocolReadable:="SSH"; "AppProtocol"="110" | AppProtocolReadable:="HTTP"; "AppProtocol"="112" | AppProtocolReadable:="SMB"; | groupBy(aid, ImageFileName, ContextProcessId, function=[count(field=AppProtocolReadable, as=countAppProtocolReadable, distinct=true), collect(AppProtocolReadable)]) | countAppProtocolReadable > 1 }, name="multiple_appprotocols", start=7d, include=*) | match(file="multiple_appprotocols", field="TargetProcessId", column="ContextProcessId") | table([@timestamp, aid, GraphExplorer, AppProtocolReadable, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) As in the previous hunt, ImageFileName has been filtered to exclude the /System/ and /usr/ directories, but this will likely need to be expanded once a general search has identified “known good processes or execution paths” for processes and applications such as proxies and VPNs.
Modifying the “countAppProtocolReadable” value to higher thresholds reduces the scope but requires more variety of network traffic to be identified before matching. Conclusion The Falcon sensor for macOS has been enhanced to provide improved detection and visibility of network traffic. We encourage security teams to ensure these features are enabled and are being used to hunt for and detect abnormal activity across their environments.
Additional Resources Read this blog to learn about our latest enhancements to the Falcon sensor on Linux platforms. For more information regarding infostealer impacting macOS, read this blog . Read the CrowdStrike 2026 Global Threat Report here . Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Falcon for XIoT Extends Asset Protection to Healthcare Environments Privacy Request Info Contact Us 1.888.512.8906 Accessibility