macOS Detection Engineering

Build defensible macOS detections from telemetry to validation.

This course teaches macOS detection engineering from the ground up: where endpoint evidence comes from, how Endpoint Security sensors model process and file behavior, how Unified Logging and forensic artifacts strengthen investigations, and how to turn raw telemetry into rules that survive real operational noise.

Students build a practical workflow for writing Sigma rules, testing them against controlled local activity, tuning false positives, documenting visibility gaps, and packaging detections with evidence that a security team can review, maintain, and improve over time.

00

Detection Engineering Foundations

Build the defender mental model for macOS telemetry, evidence quality, rule naming, and local validation.

8 modules
0.1The macOS Threat Model for Detection Engineers
Locked
0.2macOS Security Architecture for Defenders
Locked
0.3Endpoint Security as a Detection Source
Locked
0.4Unified Logging for Detection and Hunting
Locked
0.5File System, Process, Network, and Identity Telemetry
Locked
0.6Evidence Quality: Signal, Noise, Confidence, and Limits
Locked
0.7Building a Local macOS Detection Reference
Locked
0.8Detection Naming, Metadata, Severity, and ATT&CK Mapping
Locked
01

Endpoint Security Sensor Engineering

Move from telemetry concepts into sensor implementation, event modeling, drop accounting, validation, and failure handling.

10 modules
1.1ES Client Architecture for Detection Engineers
Locked
1.2Subscribing to Process, File, and Auth Events
Locked
1.3Event Ordering, seq_num, and Drop Accounting
Locked
1.4Process Identity, Audit Tokens, Signing Info, and Paths
Locked
1.5File Event Modeling and Path Normalization
Locked
1.6Performance, Backpressure, and Sensor Reliability
Locked
1.7Building a Minimal macOS Detection Sensor
Locked
1.8Testing Sensor Output Against Controlled Tradecraft
Locked
1.9Sensor Failure Modes and Blind Spots
Locked
1.10Turning Sensor Events into Detection Logic
Locked
02

Persistence Detection

Detect launchd, login items, plugins, profiles, schedulers, shell startup paths, and persistence rule tuning.

12 modules
2.1LaunchAgent and LaunchDaemon Detection
Locked
2.2Launchd ProgramArguments and Environment Anomalies
Locked
2.3WatchPaths, QueueDirectories, StartInterval, and KeepAlive Triggers
Locked
2.4Login Items Across macOS Generations
Locked
2.5BackgroundItems and ServiceManagement Artifacts
Locked
2.6Dock, Finder, and Workspace Persistence
Locked
2.7Application, Extension, and Plugin Persistence
Locked
2.8Browser Extension Persistence
Locked
2.9Configuration Profiles and MDM Persistence
Locked
2.10Crontab, Periodic, At Jobs, and Legacy Persistence
Locked
2.11Shell Profile and Developer Toolchain Persistence
Locked
2.12Persistence Detection Rules, Tuning, and Validation
Locked
03

Detection as Code

Turn macOS telemetry knowledge into versioned Sigma rules, test fixtures, regression checks, and release workflow.

10 modules
3.1Detection Rule Structure and Metadata
Locked
3.2Sigma for macOS: Strengths and Limits
Locked
3.3Translating macOS Telemetry into Sigma Fields
Locked
3.4Writing Process Behavior Rules
Locked
3.5Writing Persistence Rules
Locked
3.6Writing Credential and TCC Rules
Locked
3.7Writing Network and C2 Rules
Locked
3.8Unit Testing Detection Rules
Locked
3.9Regression Testing Against Tradecraft Fixtures
Locked
3.10Detection CI/CD and Rule Release Workflow
Locked
04

Execution and Process Behavior Detection

Detect suspicious process creation, interpreter chains, temporary execution, app bundle anomalies, and ancestry patterns.

10 modules
4.1Process Creation Telemetry and Parent Child Modeling
Locked
4.2Shell Chains and Interpreter Abuse
Locked
4.3osascript and AppleScript Execution Detection
Locked
4.4Python, Ruby, Perl, Node, and Developer Runtime Abuse
Locked
4.5Living off the Land Binary Detection on macOS
Locked
4.6Suspicious Execution from Temporary Paths
Locked
4.7App Bundle Execution Anomalies
Locked
4.8Quarantine, Gatekeeper, and First Run Signals
Locked
4.9Unsigned, Ad Hoc Signed, and Notarization Weak Signals
Locked
4.10Process Ancestry Hunting and False Positive Control
Locked
05

Code Loading and Supply Chain Detection

Detect Mach-O loading behavior, dylib abuse, build plugins, package scripts, and dependency execution signals.

10 modules
5.1Mach-O Structure for Detection Engineers
Locked
5.2Dynamic Library Loading Detection
Locked
5.3Dylib Hijacking and Search Path Abuse
Locked
5.4DYLD Environment Variable Abuse
Locked
5.5Plugin and Extension Loading Patterns
Locked
5.6Xcode Build Phase Abuse Detection
Locked
5.7Developer Workflow and Build Plugin Compromise
Locked
5.8Package Installer Scripts and Postinstall Detection
Locked
5.9Homebrew, NPM, PyPI, and Dependency Execution Signals
Locked
5.10Code Loading Detection Rules and Validation
Locked
06

Credential, Identity, and Trust Boundary Detection

Detect credential access, TCC manipulation, authorization abuse, sandbox boundary issues, and privilege escalation indicators.

10 modules
6.1Keychain Access Detection
Locked
6.2Security CLI and Credential Extraction Patterns
Locked
6.3Browser Credential Store Access
Locked
6.4SSH Key and Developer Secret Discovery
Locked
6.5TCC Database Manipulation Detection
Locked
6.6Full Disk Access Abuse Detection
Locked
6.7Sudo, Authorization, and Cached Credential Abuse
Locked
6.8Entitlement and Sandbox Boundary Violations
Locked
6.9Privilege Escalation Detection Patterns
Locked
6.10Identity and Credential Detection Tuning
Locked
07

Discovery, Collection, and Staging Detection

Detect host profiling, sensitive file discovery, collection workflows, staging paths, and metadata changes.

10 modules
7.1Host Discovery and System Profiling
Locked
7.2User, Group, and Directory Enumeration
Locked
7.3Security Tool and EDR Discovery
Locked
7.4File Discovery and Sensitive Path Enumeration
Locked
7.5Screenshot, Clipboard, Camera, and Microphone Access Signals
Locked
7.6Archive and Compression Behavior
Locked
7.7Staging in Temporary, Hidden, and User Writable Paths
Locked
7.8Metadata, Extended Attributes, and Quarantine Changes
Locked
7.9Collection Workflow Detection
Locked
7.10Discovery and Staging Hunt Playbooks
Locked
08

Network, C2, and Lateral Movement Detection

Detect macOS network behavior, callbacks, localhost relays, remote admin abuse, discovery, and lateral movement indicators.

10 modules
8.1macOS Network Telemetry Sources
Locked
8.2DNS, TLS, and HTTP Behavioral Detection
Locked
8.3Curl, Python, Node, and Native Network Client Abuse
Locked
8.4Launchd Backed Callback Detection
Locked
8.5Localhost Relay and Port Forwarding Patterns
Locked
8.6SSH, SCP, Rsync, and Remote Admin Abuse
Locked
8.7AirDrop, SMB, AFP, and Bonjour Discovery Signals
Locked
8.8Reverse Shell and Interactive Session Detection
Locked
8.9Network Discovery and Lateral Movement Hunting
Locked
8.10Network Detection Rules and Validation
Locked
09

Advanced Evasion Visibility Detection

Measure visibility around Endpoint Security pressure, exception signaling, accelerator boundaries, XPC trust issues, and advanced evasion claims.

10 modules
9.1Detecting Endpoint Security Pressure and Event Loss
Locked
9.2Detecting Exception Based Signaling Patterns
Locked
9.3Detecting GPU Backed Memory Tradecraft
Locked
9.4Detecting Accelerator Boundary Abuse
Locked
9.5Detecting XPC Trust Boundary Violations
Locked
9.6Detecting Sandbox Escape Indicators
Locked
9.7Detecting Memory Scanner Blind Spots
Locked
9.8Detecting Non-CPU Staging Patterns
Locked
9.9Evidence Boundaries for Advanced Evasion Claims
Locked
9.10Advanced Visibility Failure Hunt Playbooks
Locked
10

Forensics and Artifact Based Detection

Map macOS forensic artifacts, preserve logs, build timelines, and package evidence for detection programs.

10 modules
10.1macOS Forensic Artifact Map
Locked
10.2Unified Log Collection and Preservation
Locked
10.3FSEvents, Spotlight, and File Metadata
Locked
10.4Launch Services, Recent Items, and Quarantine Artifacts
Locked
10.5TCC, Transparency, Consent, and Privacy Artifacts
Locked
10.6Browser, Mail, and User Activity Artifacts
Locked
10.7Crash Logs, Diagnostic Reports, and Exception Artifacts
Locked
10.8Timeline Building for Detection Engineers
Locked
10.9Artifact Based Detection Rules
Locked
10.10Evidence Package Generation
Locked
11

Threat Hunting and Validation

Build baselines, write hypothesis-driven hunts, validate detections against controlled tradecraft, and create handoff reports.

10 modules
11.1macOS Threat Hunting Methodology
Locked
11.2Building Baselines from Clean Systems
Locked
11.3Hypothesis Driven Hunts
Locked
11.4Hunt Queries for Persistence
Locked
11.5Hunt Queries for Execution and Loading
Locked
11.6Hunt Queries for Credential and Identity Abuse
Locked
11.7Hunt Queries for Network and C2 Behavior
Locked
11.8Running Controlled PoCs Against Detections
Locked
11.9Measuring Precision, Recall, and Operational Cost
Locked
11.10Writing Detection Reports and Engineering Handoffs
Locked
12

Capstone Detection Program

Assemble the reference environment, telemetry collector, rule packs, tuning notes, evidence package, and final report.

8 modules
12.1Build the Detection Reference Environment
Locked
12.2Deploy the Telemetry Collector
Locked
12.3Execute the Controlled macOS Tradecraft Chain
Locked
12.4Build Process, Persistence, Credential, and Network Detections
Locked
12.5Build Advanced Evasion Visibility Detections
Locked
12.6Tune False Positives and Document Blind Spots
Locked
12.7Package Sigma Rules, Queries, Evidence, and Test Fixtures
Locked
12.8Final Detection Engineering Report
Locked