Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities

BLOG Featured Recent Video Category Start Free Trial Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities March 11, 2026 | Ash Leslie - Colton Terrace - Chris Kent | Endpoint Security & XDR The much-anticipated Enhanced Network Visibility feature for macOS is now generally available in sensor version 7.29 or later. This new capability provides insight and improved visibility into network traffic occurring on macOS endpoints, creating a more sophisticated and comprehensive model of process behavior.  In this blog, we provide an in-depth overview of this new capability. We showcase detection enablement and numerous threat hunting applications, now enabled by Enhanced Network Visibility for macOS, and dive into new network capabilities built to empower threat hunters and detection teams against threat actor activity. What Is Enhanced Network Visibility? Enhanced network visibility supplements process activity monitoring with attributes derived from the contents of network traffic. Moving beyond basic network address and port data, this enhanced monitoring identifies specific application protocols, analyzes TLS (encrypted) traffic characteristics, and examines plaintext HTTP traffic attributes, further enriching the robust data set the Falcon sensor provides.  This capability leverages the latest Apple-native content filter APIs to enable  enhanced network visibility with the least possible impact on network performance. The content filter API allows the sensor to intercept the least amount of data possible, allowing data for a network flow to bypass interception completely once the traffic has been identified. This targeted approach offers significant efficiency advantages over packet-based inspection methods, minimizing system impact while maximizing detection capabilities, all the while being an opt-in feature, allowing customers the choice to enable within their environments  One of the new exciting features is the integration of JA4 fingerprinting (ref: https://foxio.io/). JA4 provides a summarized representation, or “signature,” of the capabilities and configuration of a specific TLS client library. This signature is derived from the TLS "client hello" packet, the first step in establishing a secure connection. JA4 can be used to differentiate between otherwise indistinguishable TLS connections, and can provide evidence of proxying, if a single process exhibits several unique signatures. JA4 was designed by FoxIO to replace JA3, which is not compatible with the TLS client extension randomized reordering employed by modern browsers and bots.  Supported Protocols At launch, Enhanced Network Visibility will support parsing of plaintext HTTP requests and responses and TLS client hello packets. Additionally, the feature will identify the use of HTTP, TLS, SOCKS4/5, Wireguard, SSH, SMB, VNC, ARD, and DNS on any network port, emitting an AppProtocolDetected event when a process makes use of one of these protocols. Proxy visibility is also supported. Protocol AppProtocol Value Capability Description HTTP 1.x 110 Identify & Inspect Plaintext HTTP requests and responses TLS 102 Identify & Inspect TLS client hello (client session establishment) SOCKS4 SOCKS5 104 Identify & Inspect Traffic encapsulated within a SOCKS4 or SOCKS5 proxy is supported transparently Wireguard 105 Identify Wireguard VPN SSH 108 Identify Secure shell SMB 112 Identify File sharing VNC, ARD 107 Identify Apple Remote Desktop (ARD) or VNC screen sharing QUIC 103 Identify IETF QUIC (and HTTP/3) traffic. Encrypted, but can process the embedded TLS client hello. DNS 100 Identify & Inspect Domain Name System New CrowdStrike Falcon Next-Gen SIEM Events #event_simpleName=HttpRequest This event contains the request type, URL, headers, and body of a plaintext HTTP request. New interesting key/value pairs for this event are outlined below: #event_simpleName=HttpResponse This event contains the response code and headers of a plaintext HTTP response. New interesting key/value pairs for this event are outlined below: #event_simpleName=TlsClientHello This event contains information derived from the client side of a TLS client connection establishment, including the server name indication value (SNI), next protocol (ALPN), and the JA3 and JA4 client fingerprints. New interesting key/value pairs for this event are outlined below: #event_simpleName=AppProtocolDetected This event contains the network protocol in use that has been identified. It supplements host/port information provided by existing network-based telemetry, including NetworkConnect, NetworkAccept, etc. New interesting key/value pairs for this event are outlined below: How to Enable macOS Enhanced Network Visibility To enable this feature, navigate to the Mac Prevention Policies and configure an existing policy, or create a new policy, with the “Enhanced Network Visibility” toggle enabled ([US-1] [US-2] [EU]). Figure 1. Enhanced Network Visibility toggle Threat Hunting Examples Threat hunting is by nature designed to surface activity that is interesting or suspicious, and with further refinement can lead to the creation of detections to alert on the activity if observed again. CrowdStrike Falcon® Next-Gen SIEM provides this capability via an easy single-click button that guides the user through the conversion of the Falcon Next-Gen SIEM search query into a Falcon Next-Gen SIEM detection rule.  Figure 2. Create rule single-click functionality The following Falcon Next-Gen SIEM Advanced Event Search queries are provided to empower customers to hunt for abnormal activity and create detections relevant to their threat models.  Please note, in the following searches, the generated “GraphExplorer” URL is for US-1 customers. For US-2 and EU-based customers, please modify the URL to be “https://falcon.us-2.crowdstrike.com” and “https://falcon.eu-1.crowdstrike.com” as required.  Hunting for ClickFix and Abnormal LOLBIN Activity  Let's take a look at a recently reported ClickFix sample. What we see here is a common methodology to lure victims into downloading malicious payloads. Figure 3. ClickFix social engineering example First, the user is socially engineered into copying and executing a malicious shell script into the terminal. This shell script reaches out to a URL and pipes the contents straight into another shell. The second shell script, once passed through some decoding routines, executes malicious instructions telling Curl to reach out to another URL (which contains malicious AppleScript) and pass the contents straight into Osascript for further execution. If allowed to continue this far, the AppleScript undertakes relatively standard host reconnaissance, resulting in downloading and executing an infostealer MachO binary.  Common HTTP URL Structure  First, we can hunt for the common URL and HttpPath structure that is observed in the various HTTP requests during the delivery of the shell scripts and AppleScript payloads. #event_simpleName="HttpRequest" event_platform=Mac HttpPath=/(?:build|dynamic\?)txd\=/i | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) We can also hunt for the UserAgent string “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36” observed by Curl in this attack chain.  #event_simpleName="HttpRequest" event_platform=Mac ImageFileName=/curl/ HttpUserAgent=/AppleWebKit\/537\.36/ | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, HttpUserAgent, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) LOLBIN Activity Chain A commonly observed pattern of activity with the “ClickFix” style of social engineering and InfoStealer delivery is the pattern of using living off the land binaries (LOLBINs) to undertake the downloading of binaries (via curl), removing the quarantine attribute (via xattr) and setting the binary as executable (via chmod). We can hunt for this sequence within Falcon Next-Gen SIEM using a combination of the newly provided network telemetry, as well as existing process-related data, using the former to enrich the latter. Using the Falcon LogScale function “correlate” allows us to define a set of requirements (similar to subsearches), which we can use to identify the usage of the common LOLBINs and suspicious network traffic within a set time frame across a single endpoint — providing us with a curated data set of possible attacker activity that may indicate malicious payloads arriving in our environments. event_platform=Mac | correlate( Macho_Written: { #event_simpleName="MachOFileWritten" | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) } include: [ContextBaseFileName, TargetFileName, ContextProcessId, GraphExplorer], Curl_HttpRequest: { #event_simpleName=HttpRequest FileName=curl | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) } include: [ImageFileName, CommandLine, HttpHost, HttpPath, ContextProcessId, GraphExplorer], Remove_Quarantine: { #event_simpleName=ProcessRollup2 FileName=xattr | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) } include: [FileName, CommandLine, TargetProcessId, GraphExplorer], Add_chmod: { #event_simpleName=ProcessRollup2 FileName=chmod | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) } include: [FileName, CommandLine, TargetProcessId, GraphExplorer], globalConstraints=[aid], sequence=false, within=1m ) Hunting for Adload  A common methodology employed by Adload adware/malware is the usage of Go UserAgents in its HTTP traffic. We can hunt for this behavior in conjunction with other attributes such as unsigned or adhoc signed binaries, and process execution from commonly abused file paths such as /tmp/. For this search, we can use a simple join function to correlate the HttpRequest data with the process data (i.e., ProcessRollup2 event). event_platform=Mac #event_simpleName=ProcessRollup2 TeamId="-" ImageFileName=/\/tmp\// | join({event_platform=Mac #event_simpleName=HttpRequest HttpUserAgent="Go-http-client/1.1"}, field=TargetProcessId, key=ContextProcessId, include=[HttpRequestHeader, HttpMethod, HttpRequestHeader, HttpHost, HttpPath, HttpBodyAsString], limit=20000) | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) | groupBy([aid, GraphExplorer, ImageFileName, CommandLine, HttpHost, HttpPath]) Hunting Use of Clawdbot/OpenClaw via Network Traffic Let's look at a more topical concern impacting customer environments, the usage (authorized or not) of AI assistant tools such as Clawdbot/OpenClaw, and how we can identify use within our environments via network traffic. HTTP Traffic to Controller Interface Default usage of Clawdbot/OpenClaw will configure the controller to run on port 18789, with access normally provided via the browser and HttpRequests to the service running locally, hosted within a container or configured on a remote host. event_platform=Mac #event_simpleName=HttpRequest RemotePort=18789 HttpPath=/(?:openclaw|moltbot|clawdbot)/ | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) Hunting Common C2 Frameworks Mythic is a widely popular and versatile red teaming framework built for macOS operations. Common Mythic Agents including Apfell, Poseidon, Merlin, and others can be built to natively execute on macOS devices, but when deployed in their default and commonly observed configurations, they are highly targetable using network telemetry and process behaviors. Default Usage of HTTP C2 Profile Most Mythic Agents can be configured to utilize the HTTP C2 profile, which makes it a popular and easy choice for red teamers and penetration testers. When configured to not use TLS connections (which requires certificates to be generated) and with standard/default HTTP parameters including UserAgent, URI paths, etc., the HTTP C2 profile usage can be easily hunted against. #event_simpleName="HttpRequest" event_platform=Mac | base64Decode("HttpBodyAsString", as="DecodedBody") | regex(field=DecodedBody, "(?<guid>.+?){(?<json_payload>.+?)}") | regex(field=json_payload, regex="action\":\"(?<action>.+?)\"") | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | groupBy([aid, ContextProcessId, FileName, GraphExplorer], function=collect([action, json_payload],separator=",")) Default JA4 Fingerprints for Mythic and Sliver Certain Mythic Agents, again configured with default options, generate unique and “huntable” JA4 fingerprints. This is also seen with default-generated Sliver C2 framework agents. A public collection of JA4 fingerprints mapped against process names is available at https://ja4db.com/. This data provides a wealth of information to begin hunting processes and build out additional hunting hypotheses. #event_simpleName=TlsClientHello event_platform=Mac | TlsClientFingerprintJa4=t13d190900_9dc949149365_97f8aa674fd9 OR TlsClientFingerprintJa4=t13d0511h1_1adb828df2d1_e7c285222651 Hunting for Abnormal SNI Values The Server Name Indication (SNI) value serves a valuable purpose during the TLS handshake, and it can also be leveraged to identify abnormal activity occurring on hosts, including data exfiltration. Let's look for a TlsClientHello event containing a TlsServerName (i.e., SNI) value that doesn’t look like a standard domain name/URL. We can then map that back to process data. defineTable( query={event_platform=Mac #event_simpleName=TlsClientHello TlsServerName!=/\./ TlsServerName=* | groupBy(aid, ImageFileName, ContextProcessId, TlsServerName, TlsClientFingerprintJa4)}, name="abnormal_SNI", start=7d, include=*) | event_platform=Mac #event_simpleName="ProcessRollup2" | match(file="abnormal_SNI", field="TargetProcessId", column="ContextProcessId") | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, TlsServerName, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) Hunting for Application Tunnelling Application tunnelling is an advanced technique utilized by threat actors and red teamers alike. The technique allows encapsulating network traffic inside other legitimate and allowed protocols, blending in with other applications on the endpoint, bypassing network layer defenses, and providing an ingress point into environments. We can hunt for this in a number of different ways. Multiple Unique JA4 Fingerprints  The following threat hunt focuses on identifying a single process generating multiple and distinct JA4 fingerprints. While not unusual for a process to be observed with multiple fingerprints (e.g., when negotiating a TLS connection to a server, the request can be upgraded or downgraded based on available TLS versions/ciphers, which in turn generate multiple JA4 fingerprints), the hunt is focused on the distinctness of the middle and last blocks found in the JA4 fingerprint when compared to each other. When reviewed in the context of what those blocks represent, it indicates the likelihood that another application's network traffic is potentially being tunneled through this process. defineTable( query={ #event_simpleName=TlsClientHello event_platform=Mac | splitString(by="\_", as=JA4Blocks, field=TlsClientFingerprintJa4) | groupBy([aid, ContextProcessId, ImageFileName], function=[count(field=JA4Blocks[1], as=countBlock1, distinct=true), count(field=JA4Blocks[2], as=countBlock2, distinct=true), collect(TlsClientFingerprintJa4), collect(JA4Blocks[0]), collect(JA4Blocks[1]), collect(JA4Blocks[2])]) | countBlock1 > 1 | countBlock2 > 1 | groupBy([aid, ContextProcessId, ImageFileName, CommandLine, TlsClientFingerprintJa4, JA4Blocks[0], JA4Blocks[1], JA4Blocks[2]]) }, name="multiple_ja4hahes", start=7d, include=*) | event_platform=Mac #event_simpleName="ProcessRollup2" TeamId="-" | NOT in(field="ImageFileName", values=["/System/*", "/usr/*"]) | match(file="multiple_ja4hahes", field="TargetProcessId", column="ContextProcessId") | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) ImageFileName has been filtered to exclude the /System/ and /usr/ directories, but this will likely need to be expanded once a general search has identified “known good processes or execution paths” for processes and applications such as proxies and VPNs. Playing around with what JA4 blocks are distinct will produce different results and further hunting opportunities. Multiple AppProtocol Events on a Single Process This next hunt looks for similar activity but takes a different approach via usage of AppProtocolDetected events. We are hunting for a single process observed generating network traffic matching different supported protocols. This could be a single process generating SSH and HTTP traffic, which in most cases is abnormal outside the scope of expected application families such as VPNs and proxies. This abnormality could be an indication that the process is tunneling network traffic and acting as an ingress point into your environment. defineTable( query={ #event_simpleName=AppProtocolDetected event_platform=Mac | case{ "AppProtocol"="0" | AppProtocolReadable:="UNSUPPORTED"; "AppProtocol"="100" | AppProtocolReadable:="DNS"; "AppProtocol"="102" | AppProtocolReadable:="TLS"; "AppProtocol"="103" | AppProtocolReadable:="QUIC"; "AppProtocol"="104" | AppProtocolReadable:="SOCKS4/5"; "AppProtocol"="105" | AppProtocolReadable:="WIREGUARD"; "AppProtocol"="107" | AppProtocolReadable:="VNC/ARD"; "AppProtocol"="108" | AppProtocolReadable:="SSH"; "AppProtocol"="110" | AppProtocolReadable:="HTTP"; "AppProtocol"="112" | AppProtocolReadable:="SMB"; } | groupBy(aid, ImageFileName, ContextProcessId, function=[count(field=AppProtocolReadable, as=countAppProtocolReadable, distinct=true), collect(AppProtocolReadable)]) | countAppProtocolReadable > 1 }, name="multiple_appprotocols", start=7d, include=*) | event_platform=Mac #event_simpleName="ProcessRollup2" TeamId="-" | NOT in(field="ImageFileName", values=["/System/*", "/usr/*"]) | match(file="multiple_appprotocols", field="TargetProcessId", column="ContextProcessId") | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, AppProtocolReadable, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) As in the previous hunt, ImageFileName has been filtered to exclude the /System/ and /usr/ directories, but this will likely need to be expanded once a general search has identified “known good processes or execution paths” for processes and applications such as proxies and VPNs. Modifying the “countAppProtocolReadable” value to higher thresholds reduces the scope but requires more variety of network traffic to be identified before matching.  Conclusion The Falcon sensor for macOS has been enhanced to provide improved detection and visibility of network traffic. We encourage security teams to ensure these features are enabled and are being used to hunt for and detect abnormal activity across their environments.  Additional Resources Read this blog to learn about our latest enhancements to the Falcon sensor on Linux platforms. For more information regarding infostealer impacting macOS, read this blog. Read the CrowdStrike 2026 Global Threat Report here. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content Falcon for XIoT Extends Asset Protection to Healthcare Environments Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike's Linux Sensor Capabilities CrowdStrike Falcon Scores Perfect 100% in SE Labs’ Most Challenging Ransomware Test CATEGORIES Agentic SOC 48 Cloud & Application Security 139 Data Protection 21 Endpoint Security & XDR 351 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 198 Next-Gen Identity Security 67 Next-Gen SIEM & Log Management 111 Public Sector 40 Securing AI 25 Threat Hunting & Intel 210 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up Falcon for XIoT Extends Asset Protection to Healthcare Environments Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility ABOUT COOKIES ON THIS SITE In order to provide you with the most relevant content and best browser experience, we use cookies to remember and store information about how you use our website. See how we use this information in our Privacy Notice and more information about cookies in our Cookie Notice. Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All