Many defenders have hard fought experience finding evil on Windows systems, but stare blankly when handed a Mac. You know all the ways PowerShell can own a box, but how about AppleScript? This practical talk will give defenders a primer in finding adversarial activity on macOS using the TTPs they know and love from other platforms as a reference point.