The target on macOS’ back is ever-increasing for sophisticated threat actors. From ransomware campaigns like LockBit targeting Apple systems, to targeted infostealer campaigns, e.g., Atomic/AMOS & Poseidon, or nation-state malware like XCSSET, the macOS threat landscape has evolved dramatically. Yet, the security community's detection capabilities haven't kept pace.
macOS has long been underrepresented in the threat detection ecosystem. While Windows benefits from robust native telemetry sources like Windows Event Logs or Sysmon, and Linux enjoys flexible auditing via auditd, macOS detection largely hinges on proprietary, enterprise Endpoint Detection & Response (EDR) platforms.
Sigma has emerged as the de facto standard for sharing detection rules across the security community. With over 3,000 detection rules covering Windows, Linux, cloud platforms, and cloud or local applications, Sigma enables security teams to implement vendor-agnostic threat detection.
However, when it comes to macOS, there's a significant gap.
Current Sigma macOS Coverage:
Total: Approximately 73 rules covering only two event types
While these cover fundamental security use cases, they represent only a fraction of the telemetry available on macOS systems. Modern macOS provides rich security event data through:
Author note: It’s worth mentioning that most enterprise EDR platforms “worth their salt” are collecting macOS ESF and UL telemetry via endpoint agents, forwarding and transforming according to their data model, and running proprietary (or open-source) detections & analytics against that data. However, this is typically a “black box” end-to-end operation leaving practitioners minimal insight into how this occurs.
Without proper pipeline support, security teams face several critical challenges:
We've developed macOS coreSigma, a macOS endpoint telemetry collection, detection, and analysis app built with the primary goal of extending Sigma's capabilities for macOS ESF and UL logs. As a proof of concept, we’ve built ESF and UL collectors & pipelines and are using a custom Elasticsearch backend to support these pipelines and better handle macOS events and rules utilizing new event types and fields. We then are able to view these events and rule matches in Kibana.
coreSigma includes:
Individual components of coreSigma (new ESF and UL pipelines) have been submitted as PRs to Sigma's official GitHub pySigma project. We are actively engaged with the Sigma team and community to submit these as official macOS additions to the Sigma ecosystem.
Author note: We landed on the name coreSigma, as a “clever” nod to Apple’s “Core Foundation” framework. SPAM4ME&U didn't seem like a very inviting handle – Sigma Pipeline and Mappings 4 macOS Endpoint (Security Framework) and Unified (Logging). Shoutout to Nebulock’s own, Sydney Maronne, for the suggestion.
Our solution consists of two main pipeline configurations, following the pySigma YAML pipeline format:
The ESF pipeline handles kernel-level security events with comprehensive field mappings:
name: macos-esf
priority: 100
transformations:
- type: field_name_mapping
mapping:
# Process fields - standard Sigma fields
Image: Image
CommandLine: CommandLine
ProcessId: ProcessId
ParentProcessId: ParentProcessId
# Kernel extension fields
kext.identifier: kext.identifier
kext.path: kext.path
kext.team_id: kext.team_id
# Signal fields
signal.number: signal.number
target.process.path: target.process.path
# XPC fields
xpc.service_name: xpc.service_name
# Event metadata
event_type: event_type
event_name: event_name
Log Source Categories:
The pipeline defines 10+ log source categories:
Event Type Coverage:
We collect (23) ESF event types, including:
The Unified Logging pipeline handles application and system log events with subsystem-based log sources:
The ESF collector (network collectors/esf_collector.py) bridges native ESF events to Sigma-compatible format:
def normalize_event(self, esf_event: Dict[str, Any]) -> Dict[str, Any]:
"""Normalize ESF event to Sigma-compatible field names"""
event_type = esf_event.get("event_type")
event_name = ESF_EVENT_TYPE_MAP.get(event_type, "unknown")
normalized = {
"@timestamp": esf_event.get("time"),
"event_type": event_type,
"event_name": event_name,
"ProcessId": audit_token.get("pid"),
"Image": executable.get("path", ""),
"CommandLine": " ".join(args),
}
# Handle kernel extension load
if event_type == 17:
kext_info = esf_event.get("event", {}).get("kextload", {}).get("kext", {})
normalized["kext.identifier"] = kext_info.get("identifier", "")
normalized["kext.path"] = kext_info.get("path", "")
normalized["kext.team_id"] = kext_info.get("team_id", "")
# Handle process signals
elif event_type == 27:
signal_data = esf_event.get("event", {}).get("signal", {})
normalized["signal.number"] = signal_data.get("sig", 0)
normalized["target.process.path"] = signal_data.get("target",
{}).get("process", {}).get("executable", {}).get("path", "")
return normalized
Key normalization steps:
Using our ESF and UL pipelines & collectors, and modified Elasticsearch Sigma backend, we were able to collect these new macOS endpoint events and ingest these into Elastic for viewing in Kibana.
Our repository includes (50) production-ready Sigma rules. Here are key examples:
This rule detects attempts to load unsigned kernel extensions, ESF - kextload (17), a critical indicator of rootkit installation or malicious kernel-level access.
title: Unsigned Kernel Extension Load Attempt
id: 7e7a1a47-45dd-4f97-8205-1d6aea67f682
status: experimental
description: Detects attempts to load unsigned kernel extensions which may indicate
rootkit installation or malicious kernel-level access.
references:
- https://attack.mitre.org/techniques/T1547/006/
- https://objective-see.com/blog/blog_0x4B.html
author: Eric Brown - Nebulock, Inc.
date: 2025/10/29
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1547.006
logsource:
product: macos
service: endpointsecurity
category: kernel_extension
detection:
selection:
event_type: 17
event_name: kextload
filter_signed:
kext.team_id: '*'
condition: selection and not filter_signed
falsepositives:
- Legitimate unsigned kexts in development environments
- Testing scenarios
level: critical
Converted Elasticsearch Query:
(event_type:17 AND event_name:kextload) AND (NOT kext.team_id:*)
This rule detects defense evasion attempts where malware terminates security tools using ESF SIGKILL (signal 9) events.
title: SIGKILL Sent to Security Tools
id: 3028231e-acae-4e0b-88a6-3044502c7478
status: experimental
description: Detects SIGKILL signals sent to security tools which may indicate
defense evasion.
references:
- https://attack.mitre.org/techniques/T1562/001/
author: Eric Brown - Nebulock, Inc.
date: 2025/10/29
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: macos
service: endpointsecurity
category: process_signal
detection:
selection:
event_type: 27
event_name: signal
signal.number: 9
target.process.path|endswith:
- /LittleSnitch
- /BlockBlock
- /KnockKnock
- /OverSight
- /ReiKey
- /Santa
- /xprotectd
- /MRT
- /CrowdStrike
- /SentinelOne
condition: selection
falsepositives:
- System updates
- Legitimate process management
level: high
Converted Elasticsearch Query:
event_type:27 AND event_name:signal AND signal.number:9 AND
target.process.path:(*xprotectd OR *LittleSnitch OR *BlockBlock OR *KnockKnock OR
*OverSight OR *ReiKey OR *Santa OR *MRT OR *CrowdStrike OR *SentinelOne)This rule detects UL events referencing quarantine (LSQuarantine) or XProtect malware detections, providing an alternative detection method via system logs.
title: macOS ULS Quarantine or XProtect Detection
id: 0a1b2c3d-4e5f-4789-abcd-ef0123456789
status: experimental
description: Detect logs referencing quarantine (LSQuarantine) or XProtect malware
detections.
author: Eric Brown - Nebulock, Inc.
date: 2025-10-29
logsource:
product: macos
service: unifiedlog
level: high
detection:
selection:
message|contains:
- LSQuarantine
- XProtect
- Malware removed
condition: selection
falsepositives:
- rare, but test systems may trigger intentionally
modified: 2025/01/15
Converted Elasticsearch Query:
message:(*LSQuarantine* OR *XProtect* OR *Malware removed*)
The macOS Sigma framework presented here aims to uplift the broader security community by closing long-standing visibility gaps on macOS endpoints, especially in environments where enterprise-grade EDR platforms are not feasible due to cost, complexity, or “customizability”. By leveraging native telemetry from the Endpoint Security Framework and Unified Logging, this solution empowers detection engineers and threat hunters to widen their aperture and harness high-fidelity, platform-native data sources.
This visibility expansion is essential as macOS continues to face increased targeting from ransomware, espionage actors, and commodity malware campaigns. The framework helps defenders proactively detect and respond to suspicious or malicious behavior through portable, scalable, and community-driven detection content.
Whether you're an individual researcher, a blue-teamer at a startup, or part of a mature SOC looking to enrich macOS telemetry, these tools and methods offer an open and extensible foundation for advancing macOS defense.
Keep an eye out for more posts in this macOS series, where we’ll be expanding the macOS Sigma framework with additional detection & hunt-focused rulesets, Splunk and Elastic pipelines with alerting and dashboarding, event and detection tuning guidelines, and of course, sharing this new coreSigma build-out for protecting your macOS ecosystem.
Special thanks to these contributors:
Christopher Witter - Witter's observations of the current macOS Sigma gaps were the catalyst for this project.
Sydney Marrone - For sharing her knowledge and learnings of macOS systems with the Nebulock team (and helping find a much better name for this research).