PRACTITIONER GUIDE
Practitioner Guide13 min read

macOS Endpoint Security and EDR: Threat Detection, Coverage Gaps, and macOS-Specific Attack Techniques

Full Disk Access
macOS privacy permission required by EDR agents to monitor file events in ~/Library/LaunchAgents and other protected directories; missing it creates detection blind spots.
~/Library/LaunchAgents
primary persistence path for macOS malware families; file creation events in this directory are the single highest-priority detection signal for macOS endpoint security.
DYLD_INSERT_LIBRARIES
environment variable used for dylib injection into processes without the hardened runtime, enabling malicious code to execute under a trusted process name.
3 families
active macOS info-stealer families tracked in 2025: Atomic macOS Stealer, Poseidon, and Cthulhu Stealer, all using LaunchAgent persistence and social engineering for initial access.

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

macOS security is commonly treated as a subset of endpoint security with a lighter touch: apply CIS hardening, deploy an EDR agent, done. The gap in this thinking is that macOS has its own attack technique taxonomy, its own persistence mechanisms, and its own EDR deployment requirements that differ meaningfully from Windows. An EDR deployment that passes a Windows audit can have significant macOS coverage gaps if the System Extension profile was not deployed before the agent, or if Full Disk Access was not granted via MDM.

MacOS malware has increased in sophistication alongside the growth of macOS in enterprise environments. Atomic macOS Stealer, Poseidon, and similar families use macOS-native techniques that require macOS-specific detection content. Validating EDR coverage on a Mac fleet requires checking permissions, not just agent installation.

Deployment requirements: what makes a macOS EDR effective

macOS-specific MDM profile requirements determine whether an EDR agent has the access it needs to detect threats, and deployment order matters. Unlike Windows, where an EDR agent installs with kernel-level access by default, macOS requires explicit user or MDM approval for both the system extension and the privacy permission that grants access to protected file locations. If the Privacy Preferences Policy Control profile granting Full Disk Access is not staged before the EDR agent package installs, the agent runs in a reduced-capability mode that cannot monitor LaunchAgent directories. Deployment verification must check MDM profile compliance alongside agent installation status because a fully installed agent without the correct permissions reports healthy while operating with significant detection blind spots.

Deploy System Extension and PPPC profiles before the EDR agent package

macOS requires explicit MDM-delivered profile approval for both the system extension (which gives the EDR kernel-level visibility into process events) and Full Disk Access (which allows the EDR to monitor files in protected directories). If the PPPC profile granting Full Disk Access is not deployed before the EDR agent installs, the agent installs in a reduced-capability mode without the permissions needed to monitor LaunchAgent directories, scan protected files, or access certain log sources. In Jamf Pro, create the System Extensions profile and the PPPC profile as scope prerequisites that must deploy successfully before the EDR package policy runs. Verify compliance by checking MDM profile deployment status, not just agent install status.

Validate EDR coverage by correlating EDR inventory against MDM inventory

EDR agent install does not equal EDR coverage: an agent without Full Disk Access has detection blind spots, and an agent with reduced functionality mode generates fewer telemetry events. For each macOS device in your Jamf inventory, verify three things: the EDR agent is installed (device appears in EDR console), the System Extension is approved (check Jamf profile compliance), and Full Disk Access is granted (check PPPC profile compliance). Devices present in Jamf but absent from the EDR console indicate a deployment failure. Devices present in both but with profile compliance failures indicate a permission gap. Create a weekly reconciliation report comparing the three data sources.

Detection: macOS-specific threat techniques and what to monitor

macOS threat detection requires dedicated content for macOS persistence mechanisms, code injection techniques, and living-off-the-land binaries that Windows detection rules do not cover. LaunchAgent and LaunchDaemon directories are the first monitoring targets because nearly every macOS malware family uses one or both for persistence. Beyond persistence, macOS attackers rely on osascript and JXA for privilege escalation dialogs and keychain access, and on DYLD_INSERT_LIBRARIES for code injection into trusted processes. Building effective detection requires EDR rules tuned to macOS-specific paths, binaries, and environment variables rather than adapting Windows detection logic to a different OS.

Build detection rules for LaunchAgent and LaunchDaemon creation as a baseline

LaunchAgent and LaunchDaemon persistence is used by nearly every macOS malware family and is the highest-priority macOS detection to build. Configure EDR rules that alert on any file creation or modification event in ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons where the creating process is not an expected management tool (Jamf, MDM agent, or known software installer). Suppress alerts for known-good software installers (creating an allowlist by bundle ID or signing certificate) to reduce false positive volume. For each alert, automatically query the plist file content to extract the ProgramArguments key and flag paths that reference non-application directories.

Monitor osascript and JXA execution for credential and keychain access attempts

AppleScript and JavaScript for Automation (JXA) executed via the osascript binary are used by macOS malware for privilege escalation dialogs (fake password prompts that capture the user's macOS password), keychain access, and inter-process communication with other running applications. Alert on osascript processes spawned by unusual parent processes (browsers, downloaded applications, or non-administrative tools), particularly when the command line contains do shell script or references to Keychain Access or System Events. Real-time phishing attacks that display fake password dialogs rely on osascript for the dialog rendering, so high-confidence detection requires correlating the osascript execution with a preceding download or process launch.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

macOS endpoint security requires treating macOS as a distinct platform with its own deployment requirements and threat detection content, not as a lighter version of Windows endpoint security. The EDR deployment requirements are different: System Extension approval and Full Disk Access via MDM profiles must precede agent installation, and coverage validation requires correlating MDM profile compliance against EDR device inventory. The detection content is different: LaunchAgent and LaunchDaemon persistence, osascript abuse, DYLD injection, and Gatekeeper bypass techniques require macOS-specific alert logic that Windows detection rules do not cover. Santa for application allowlisting provides a complementary control that blocks unknown executable execution at the binary authorization layer.

Frequently asked questions

What EDR platform should I deploy for macOS endpoints?

CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne each provide macOS EDR with kernel-level telemetry collection via the Apple Endpoint Security Framework. For organizations already running one of these platforms on Windows, deploying the same vendor on macOS provides unified alerting and investigation across the fleet in a single console. CrowdStrike and SentinelOne both have strong macOS-specific detection content. For organizations using Jamf as MDM, all three platforms have Jamf Pro deployment workflows. Key evaluation criteria for macOS EDR include whether the platform collects process execution telemetry, file system events in LaunchAgents directories, network connection events, and DYLD injection indicators.

Why does macOS EDR require Full Disk Access and how do I grant it via MDM?

macOS System Integrity Protection and the privacy framework restrict which processes can read files in protected locations including user home directories, ~/Library, and system directories. Without Full Disk Access (FDA), an EDR agent cannot monitor file creation events in ~/Library/LaunchAgents, cannot scan files in protected directories, and cannot access certain log sources. Grant Full Disk Access via MDM using a Privacy Preferences Policy Control (PPPC) profile in Jamf Pro or another MDM. The profile specifies the EDR application's bundle ID and team ID and grants com.apple.security.files.all entitlement. Granting FDA via MDM is silent and does not require user interaction, unlike the manual Security and Privacy settings panel approach.

What macOS attack techniques should my EDR detect?

macOS-specific attack techniques to validate EDR detection coverage for: LaunchAgent and LaunchDaemon persistence (file write to ~/Library/LaunchAgents, /Library/LaunchAgents, /Library/LaunchDaemons), login item persistence via SMLoginItemSetEnabled API, cron job persistence, DYLD_INSERT_LIBRARIES injection into running processes, AppleScript and JXA (JavaScript for Automation) execution for privilege escalation and lateral movement, osascript abuse for keychain access and screen capture, bash and zsh profile modification for shell persistence, use of built-in macOS tools like curl and python for download and execution of second-stage payloads, and malicious kernel extension loading (pre-macOS 12) or system extension abuse.

How do I validate EDR coverage across my Mac fleet?

EDR coverage validation for macOS requires confirming that every managed Mac has the EDR agent installed with correct permissions. In CrowdStrike, check the Falcon console device inventory filtered to macOS and look for devices with reduced functionality mode or missing sensor health indicators. Correlate the EDR inventory against your Jamf Pro device inventory by serial number to identify Macs enrolled in MDM that are not reporting to the EDR console. Also validate that Full Disk Access is granted on each device by checking the MDM profile deployment status for the PPPC profile in Jamf Pro. Devices with the EDR agent installed but without FDA granted have significant detection blind spots.

How does macOS malware bypass Gatekeeper and what does detection look like?

Gatekeeper checks whether a downloaded application is code-signed with an Apple Developer ID and notarized by Apple before allowing execution. Bypass techniques include distributing malware signed with a legitimate Developer ID certificate that has not yet been revoked, distributing as disk images (DMG) that users mount and drag to Applications (quarantine attribute is not applied to the copied binary), using scripts in zip archives where the script file does not receive the quarantine extended attribute, and social engineering the user to right-click and select Open to bypass the Gatekeeper dialog. Detection requires EDR telemetry on process execution, focusing on processes launched from ~/Downloads, /tmp, or mounted DMG paths, and processes missing the com.apple.quarantine extended attribute that should be present on downloaded files.

What is Santa and how does it complement macOS EDR?

Santa is an open-source application allowlisting tool for macOS developed by Google that runs as a system extension using the Endpoint Security Framework. Santa operates in two modes: Monitor mode logs all binary execution events without blocking, providing visibility into what is running across the fleet. Lockdown mode blocks execution of any binary not explicitly on an allowlist defined by certificate, code signing team ID, or binary hash. Santa complements EDR by providing a binary authorization layer that prevents unknown executables from running at all, while EDR provides behavioral detection for threats that use allowlisted binaries (living-off-the-land techniques). Santa syncs its rule database from a central server called Northpole or custom sync servers, enabling fleet-wide rule management.

How do I detect LaunchAgent persistence on macOS in my EDR?

LaunchAgent detection requires EDR telemetry that captures file creation and modification events in ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons. Build detection rules that alert when a new plist file is created in these directories by any process other than expected management tools like Jamf or your MDM client. Investigate alerts by examining the plist file content: the ProgramArguments key specifies what the LaunchAgent executes, and any path pointing to /tmp, ~/.hidden, ~/Library/Application Support/<random directory>, or other non-application paths indicates a persistence mechanism rather than a legitimate application. Correlate the file write event with the parent process that created it to identify the installer.

Sources & references

  1. CrowdStrike Falcon for macOS Deployment
  2. Microsoft Defender for Endpoint on macOS
  3. MITRE ATT&CK macOS Techniques
  4. Santa: Binary Authorization for macOS

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.