Explore a technical conference talk that delves deep into macOS's bootstrap server and launchd functionality. Learn about launchd's critical role as the first process at boot, its service management capabilities, and inter-process communication mechanisms. Discover how to leverage XPC and Mach APIs for threat detection while gaining insights into undocumented launchd routines and subsystems. Examine Sonoma's new XPC_CONNECT event from Endpoint Security and potential areas for improvement. Presented by Brandon Dalton, a macOS security researcher and MITRE ATT&CK contributor with experience at NSA and Red Canary, alongside Fitzl Csaba, a Principal macOS Security Researcher at Kandji with extensive background in network engineering, malware analysis, and adversary simulation.