This rule detects the execution of Living off the Land (LOLbin) binaries on macOS. It monitors the execution of specific commands such as 'find', 'crontab', 'screencapture', 'openssl', 'curl', 'wget', 'killall', and 'funzip' via osquery process events over a short timeframe. LOLbins are legitimate binaries that malicious actors may misuse to achieve their ends without raising alarms. The analytic identifies anomalies in execution frequency, specifically multiple invocations of these commands by a user within a defined time frame. These behaviors suggest potential malicious activities, prompting further investigation into whether they lead to arbitrary code execution, privilege escalation, or persistence within the environment. The detailed search query provided utilizes statistical aggregations to track binary usage patterns across user sessions on the endpoint. Careful interpretation of the results is necessary for effective incident response and threat analysis.