This detection rule identifies attempts to elevate user privileges by adding accounts to the admin group on macOS via the 'dscl' (Directory Service command line utility). The rule specifically looks for process creation events where the executed command matches the criteria for adding a user to the admin group. The detection is based on specific command line arguments commonly used in such attempts. This technique outlines an initial access stage where malicious actors could gain higher privileges by creating or modifying user accounts. The rule is particularly relevant in environments where unauthorized administrative access could lead to further compromise. False positive scenarios may arise from legitimate administrative actions, thus requiring additional context to validate alerts effectively.