This detection rule identifies attempts to enable the root account on macOS systems using the `dsenableroot` command. The rule is valuable for detecting potential unauthorized actions by adversaries, as the root account is typically disabled for security purposes. The usage of `dsenableroot` without the disable flag (`-d`) suggests attempts to gain elevated access persistently. The rule monitors relevant process events, checking for the execution of the command and identifying whether it was initiated by legitimate user accounts or associated with malicious activity. The risk score is set to 47, indicating a medium level of concern, and it is essential for security teams to investigate and respond appropriately to triggers of this rule to maintain the integrity of macOS systems.