This detection rule targets system shutdown and reboot activity on MacOS environments. Adversaries may execute shutdown or reboot commands to disrupt system accessibility or assist in the destruction of critical systems. By monitoring for process creation events specifically involving the commands ending with '/shutdown', '/reboot', or '/halt', this rule aims to identify potential malicious activities. The detection is designed to be informational, indicating that while it captures relevant command executions, such actions may also occur during legitimate administrative operations, thus false positives are anticipated. The rule is particularly useful for monitoring unauthorized system interruptions that could signify larger attack objectives by adversaries. The rule is part of the ongoing effort to improve security postures in MacOS environments and establish quick responses to such critical actions.