This detection rule targets malicious usage of Finder Sync plugins on macOS systems, which enhance Finder functionality by allowing third-party modifications. Adversaries can exploit this feature by inserting rogue plugins that execute unauthorized payloads for persistence. The rule monitors the registration of Finder Sync plugins through the `pluginkit` process while filtering known safe plugins to detect any potentially harmful registrations. Instances of the `pluginkit` process invoked with the arguments `-e`, `use`, and `-i` are scrutinized, particularly when they don't correlate with known safe entities. This is critical for identifying potential threats and averting persistent malicious setups on macOS endpoints.