Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities

The much-anticipated Enhanced Network Visibility feature for macOS is now generally available in sensor version 7.29 or later. This new capability provides insight and improved visibility into network traffic occurring on macOS endpoints, creating a more sophisticated and comprehensive model of process behavior. 

In this blog, we provide an in-depth overview of this new capability. We showcase detection enablement and numerous threat hunting applications, now enabled by Enhanced Network Visibility for macOS, and dive into new network capabilities built to empower threat hunters and detection teams against threat actor activity.

What Is Enhanced Network Visibility?

Enhanced network visibility supplements process activity monitoring with attributes derived from the contents of network traffic. Moving beyond basic network address and port data, this enhanced monitoring identifies specific application protocols, analyzes TLS (encrypted) traffic characteristics, and examines plaintext HTTP traffic attributes, further enriching the robust data set the Falcon sensor provides. 

This capability leverages the latest Apple-native content filter APIs to enable  enhanced network visibility with the least possible impact on network performance. The content filter API allows the sensor to intercept the least amount of data possible, allowing data for a network flow to bypass interception completely once the traffic has been identified. This targeted approach offers significant efficiency advantages over packet-based inspection methods, minimizing system impact while maximizing detection capabilities, all the while being an opt-in feature, allowing customers the choice to enable within their environments 

One of the new exciting features is the integration of JA4 fingerprinting (ref: https://foxio.io/).

JA4 provides a summarized representation, or “signature,” of the capabilities and configuration of a specific TLS client library. This signature is derived from the TLS "client hello" packet, the first step in establishing a secure connection. JA4 can be used to differentiate between otherwise indistinguishable TLS connections, and can provide evidence of proxying, if a single process exhibits several unique signatures. JA4 was designed by FoxIO to replace JA3, which is not compatible with the TLS client extension randomized reordering employed by modern browsers and bots. 

Supported Protocols

At launch, Enhanced Network Visibility will support parsing of plaintext HTTP requests and responses and TLS client hello packets.

Additionally, the feature will identify the use of HTTP, TLS, SOCKS4/5, Wireguard, SSH, SMB, VNC, ARD, and DNS on any network port, emitting an AppProtocolDetected event when a process makes use of one of these protocols. Proxy visibility is also supported.

New CrowdStrike Falcon Next-Gen SIEM Events

#event_simpleName=HttpRequest

This event contains the request type, URL, headers, and body of a plaintext HTTP request. New interesting key/value pairs for this event are outlined below:

#event_simpleName=HttpResponse

This event contains the response code and headers of a plaintext HTTP response. New interesting key/value pairs for this event are outlined below:

#event_simpleName=TlsClientHello

This event contains information derived from the client side of a TLS client connection establishment, including the server name indication value (SNI), next protocol (ALPN), and the JA3 and JA4 client fingerprints. New interesting key/value pairs for this event are outlined below:

#event_simpleName=AppProtocolDetected

This event contains the network protocol in use that has been identified. It supplements host/port information provided by existing network-based telemetry, including NetworkConnect, NetworkAccept, etc. New interesting key/value pairs for this event are outlined below:

How to Enable macOS Enhanced Network Visibility

To enable this feature, navigate to the Mac Prevention Policies and configure an existing policy, or create a new policy, with the “Enhanced Network Visibility” toggle enabled ([US-1] [US-2] [EU]).

Threat Hunting Examples

Threat hunting is by nature designed to surface activity that is interesting or suspicious, and with further refinement can lead to the creation of detections to alert on the activity if observed again. CrowdStrike Falcon® Next-Gen SIEM provides this capability via an easy single-click button that guides the user through the conversion of the Falcon Next-Gen SIEM search query into a Falcon Next-Gen SIEM detection rule. 

The following Falcon Next-Gen SIEM Advanced Event Search queries are provided to empower customers to hunt for abnormal activity and create detections relevant to their threat models. 

Please note, in the following searches, the generated “GraphExplorer” URL is for US-1 customers. For US-2 and EU-based customers, please modify the URL to be “https://falcon.us-2.crowdstrike.com” and “https://falcon.eu-1.crowdstrike.com” as required. 

Hunting for ClickFix and Abnormal LOLBIN Activity 

Let's take a look at a recently reported ClickFix sample. What we see here is a common methodology to lure victims into downloading malicious payloads.

First, the user is socially engineered into copying and executing a malicious shell script into the terminal. This shell script reaches out to a URL and pipes the contents straight into another shell. The second shell script, once passed through some decoding routines, executes malicious instructions telling Curl to reach out to another URL (which contains malicious AppleScript) and pass the contents straight into Osascript for further execution. If allowed to continue this far, the AppleScript undertakes relatively standard host reconnaissance, resulting in downloading and executing an infostealer MachO binary. 

Common HTTP URL Structure 

First, we can hunt for the common URL and HttpPath structure that is observed in the various HTTP requests during the delivery of the shell scripts and AppleScript payloads.

#event_simpleName="HttpRequest" event_platform=Mac HttpPath=/(?:build|dynamic\?)txd\=/i
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

We can also hunt for the UserAgent string “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36” observed by Curl in this attack chain. 

#event_simpleName="HttpRequest" event_platform=Mac ImageFileName=/curl/ HttpUserAgent=/AppleWebKit\/537\.36/
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, HttpUserAgent, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

LOLBIN Activity Chain

A commonly observed pattern of activity with the “ClickFix” style of social engineering and InfoStealer delivery is the pattern of using living off the land binaries (LOLBINs) to undertake the downloading of binaries (via curl), removing the quarantine attribute (via xattr) and setting the binary as executable (via chmod). We can hunt for this sequence within Falcon Next-Gen SIEM using a combination of the newly provided network telemetry, as well as existing process-related data, using the former to enrich the latter.

Using the Falcon LogScale function “correlate” allows us to define a set of requirements (similar to subsearches), which we can use to identify the usage of the common LOLBINs and suspicious network traffic within a set time frame across a single endpoint — providing us with a curated data set of possible attacker activity that may indicate malicious payloads arriving in our environments.

event_platform=Mac 
| correlate(
Macho_Written: {
#event_simpleName="MachOFileWritten" 
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer)
} include: [ContextBaseFileName, TargetFileName, ContextProcessId, GraphExplorer],

Curl_HttpRequest: {
#event_simpleName=HttpRequest FileName=curl
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer)
} include: [ImageFileName, CommandLine, HttpHost, HttpPath, ContextProcessId, GraphExplorer],
  
Remove_Quarantine: {
#event_simpleName=ProcessRollup2 FileName=xattr
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
} include: [FileName, CommandLine, TargetProcessId, GraphExplorer],

Add_chmod: {
#event_simpleName=ProcessRollup2 FileName=chmod
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
} include: [FileName, CommandLine, TargetProcessId, GraphExplorer],

globalConstraints=[aid], sequence=false, within=1m
)

Hunting for Adload 

A common methodology employed by Adload adware/malware is the usage of Go UserAgents in its HTTP traffic. We can hunt for this behavior in conjunction with other attributes such as unsigned or adhoc signed binaries, and process execution from commonly abused file paths such as /tmp/.

For this search, we can use a simple join function to correlate the HttpRequest data with the process data (i.e., ProcessRollup2 event).

event_platform=Mac  #event_simpleName=ProcessRollup2 TeamId="-" ImageFileName=/\/tmp\//
| join({event_platform=Mac #event_simpleName=HttpRequest HttpUserAgent="Go-http-client/1.1"}, field=TargetProcessId, key=ContextProcessId, include=[HttpRequestHeader, HttpMethod, HttpRequestHeader, HttpHost, HttpPath, HttpBodyAsString], limit=20000)
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine, HttpHost, HttpPath])

Hunting Use of Clawdbot/OpenClaw via Network Traffic

Let's look at a more topical concern impacting customer environments, the usage (authorized or not) of AI assistant tools such as Clawdbot/OpenClaw, and how we can identify use within our environments via network traffic.

HTTP Traffic to Controller Interface

Default usage of Clawdbot/OpenClaw will configure the controller to run on port 18789, with access normally provided via the browser and HttpRequests to the service running locally, hosted within a container or configured on a remote host.

event_platform=Mac #event_simpleName=HttpRequest RemotePort=18789 HttpPath=/(?:openclaw|moltbot|clawdbot)/ 
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

Hunting Common C2 Frameworks

Mythic is a widely popular and versatile red teaming framework built for macOS operations. Common Mythic Agents including Apfell, Poseidon, Merlin, and others can be built to natively execute on macOS devices, but when deployed in their default and commonly observed configurations, they are highly targetable using network telemetry and process behaviors.

Default Usage of HTTP C2 Profile

Most Mythic Agents can be configured to utilize the HTTP C2 profile, which makes it a popular and easy choice for red teamers and penetration testers. When configured to not use TLS connections (which requires certificates to be generated) and with standard/default HTTP parameters including UserAgent, URI paths, etc., the HTTP C2 profile usage can be easily hunted against.

#event_simpleName="HttpRequest" event_platform=Mac
| base64Decode("HttpBodyAsString", as="DecodedBody")
| regex(field=DecodedBody, "(?<guid>.+?){(?<json_payload>.+?)}")
| regex(field=json_payload, regex="action\":\"(?<action>.+?)\"")
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer)
| groupBy([aid, ContextProcessId, FileName, GraphExplorer], function=collect([action, json_payload],separator=","))

Default JA4 Fingerprints for Mythic and Sliver

Certain Mythic Agents, again configured with default options, generate unique and “huntable” JA4 fingerprints. This is also seen with default-generated Sliver C2 framework agents. A public collection of JA4 fingerprints mapped against process names is available at https://ja4db.com/. This data provides a wealth of information to begin hunting processes and build out additional hunting hypotheses.

#event_simpleName=TlsClientHello event_platform=Mac 
| TlsClientFingerprintJa4=t13d190900_9dc949149365_97f8aa674fd9 OR TlsClientFingerprintJa4=t13d0511h1_1adb828df2d1_e7c285222651

Hunting for Abnormal SNI Values

The Server Name Indication (SNI) value serves a valuable purpose during the TLS handshake, and it can also be leveraged to identify abnormal activity occurring on hosts, including data exfiltration.

Let's look for a TlsClientHello event containing a TlsServerName (i.e., SNI) value that doesn’t look like a standard domain name/URL. We can then map that back to process data.

defineTable(
query={event_platform=Mac #event_simpleName=TlsClientHello TlsServerName!=/\./ TlsServerName=*
| groupBy(aid, ImageFileName, ContextProcessId, TlsServerName, TlsClientFingerprintJa4)}, name="abnormal_SNI", start=7d, include=*)
| event_platform=Mac #event_simpleName="ProcessRollup2" 
| match(file="abnormal_SNI", field="TargetProcessId", column="ContextProcessId")
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, TlsServerName, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

Hunting for Application Tunnelling

Application tunnelling is an advanced technique utilized by threat actors and red teamers alike. The technique allows encapsulating network traffic inside other legitimate and allowed protocols, blending in with other applications on the endpoint, bypassing network layer defenses, and providing an ingress point into environments. We can hunt for this in a number of different ways.

Multiple Unique JA4 Fingerprints 

The following threat hunt focuses on identifying a single process generating multiple and distinct JA4 fingerprints. While not unusual for a process to be observed with multiple fingerprints (e.g., when negotiating a TLS connection to a server, the request can be upgraded or downgraded based on available TLS versions/ciphers, which in turn generate multiple JA4 fingerprints), the hunt is focused on the distinctness of the middle and last blocks found in the JA4 fingerprint when compared to each other.

When reviewed in the context of what those blocks represent, it indicates the likelihood that another application's network traffic is potentially being tunneled through this process.

defineTable(
query={ #event_simpleName=TlsClientHello event_platform=Mac
| splitString(by="\_", as=JA4Blocks, field=TlsClientFingerprintJa4)
| groupBy([aid, ContextProcessId, ImageFileName], function=[count(field=JA4Blocks[1], as=countBlock1, distinct=true), count(field=JA4Blocks[2], as=countBlock2, distinct=true), collect(TlsClientFingerprintJa4), collect(JA4Blocks[0]), collect(JA4Blocks[1]), collect(JA4Blocks[2])])
| countBlock1 > 1
| countBlock2 > 1
| groupBy([aid, ContextProcessId, ImageFileName, CommandLine, TlsClientFingerprintJa4, JA4Blocks[0], JA4Blocks[1], JA4Blocks[2]])
}, name="multiple_ja4hahes", start=7d, include=*)
| event_platform=Mac #event_simpleName="ProcessRollup2" TeamId="-" 
| NOT in(field="ImageFileName", values=["/System/*", "/usr/*"])
| match(file="multiple_ja4hahes", field="TargetProcessId", column="ContextProcessId")
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

ImageFileName has been filtered to exclude the /System/ and /usr/ directories, but this will likely need to be expanded once a general search has identified “known good processes or execution paths” for processes and applications such as proxies and VPNs.

Playing around with what JA4 blocks are distinct will produce different results and further hunting opportunities.

Multiple AppProtocol Events on a Single Process

This next hunt looks for similar activity but takes a different approach via usage of AppProtocolDetected events. We are hunting for a single process observed generating network traffic matching different supported protocols. This could be a single process generating SSH and HTTP traffic, which in most cases is abnormal outside the scope of expected application families such as VPNs and proxies. This abnormality could be an indication that the process is tunneling network traffic and acting as an ingress point into your environment.

defineTable(
query={ #event_simpleName=AppProtocolDetected event_platform=Mac
| case{
"AppProtocol"="0" | AppProtocolReadable:="UNSUPPORTED";
"AppProtocol"="100" | AppProtocolReadable:="DNS";
"AppProtocol"="102" | AppProtocolReadable:="TLS";
"AppProtocol"="103" | AppProtocolReadable:="QUIC";
"AppProtocol"="104" | AppProtocolReadable:="SOCKS4/5";
"AppProtocol"="105" | AppProtocolReadable:="WIREGUARD";
"AppProtocol"="107" | AppProtocolReadable:="VNC/ARD";
"AppProtocol"="108" | AppProtocolReadable:="SSH";
"AppProtocol"="110" | AppProtocolReadable:="HTTP";
"AppProtocol"="112" | AppProtocolReadable:="SMB";
}
| groupBy(aid, ImageFileName, ContextProcessId, function=[count(field=AppProtocolReadable, as=countAppProtocolReadable, distinct=true), collect(AppProtocolReadable)])
| countAppProtocolReadable > 1
}, name="multiple_appprotocols", start=7d, include=*)
| event_platform=Mac #event_simpleName="ProcessRollup2" TeamId="-"
| NOT in(field="ImageFileName", values=["/System/*", "/usr/*"])
| match(file="multiple_appprotocols", field="TargetProcessId", column="ContextProcessId")
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, AppProtocolReadable, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

As in the previous hunt, ImageFileName has been filtered to exclude the /System/ and /usr/ directories, but this will likely need to be expanded once a general search has identified “known good processes or execution paths” for processes and applications such as proxies and VPNs. Modifying the “countAppProtocolReadable” value to higher thresholds reduces the scope but requires more variety of network traffic to be identified before matching. 

Conclusion

The Falcon sensor for macOS has been enhanced to provide improved detection and visibility of network traffic. We encourage security teams to ensure these features are enabled and are being used to hunt for and detect abnormal activity across their environments. 

Additional Resources

• Read this blog to learn about our latest enhancements to the Falcon sensor on Linux platforms.
• For more information regarding infostealer impacting macOS, read this blog.
• Read the CrowdStrike 2026 Global Threat Report here.