This rule is designed to detect suspicious behavior related to the execution of 'osascript' on macOS systems to create hidden login items. Such activity can indicate attempts to persist malware while keeping it hidden from users and security monitoring tools. The rule utilizes an EQL query to identify processes where 'osascript' is invoked, specifically looking for command lines that suggest the creation of hidden login items (e.g., containing 'login item' and flagging it as 'hidden:true'). With a risk score of 47, the detection aims to capture instances where attackers try to exploit macOS capabilities for persistence, which is a common tactic in malicious activities. The authorship is attributed to Elastic and the integration requires Elastic Defend to be set up via Fleet. Several investigation steps are recommended to validate alerts, primarily focused on analyzing the parent process of 'osascript' and the user account associated with the activity. The rule also provides insights into possible false positives and response measures for cybersecurity teams.