This detection rule monitors for the enabling of Apple Remote Desktop (ARD) on macOS systems. ARD is a remote management tool utilized for software distribution, remote assistance, and system management. The rule specifically targets the execution of kickstart commands that are used to configure ARD settings. Administrators may legitimately enable this service, but attackers can exploit it for unauthorized access and persistence on compromised systems. The rule employs Splunk logic to query endpoint data, filtering for the presence of the 'kickstart' command with specific arguments related to enabling ARD. The outcome is a table of relevant events showing timestamps, host identifiers, user accounts, and the processes involved, aiding in the identification of potential malicious activity regarding remote management configuration.