This detection rule focuses on identifying potentially malicious activity related to the use of the hdiutil command-line utility on macOS systems. The hdiutil tool is commonly used to create, manipulate, and mount disk images. Given its legitimate uses in system administration, the rule is designed to detect suspicious instances where hdiutil may be executed to mount disk images, particularly in scenarios where this action could facilitate initial access or lateral movement by attackers. Detection criteria are based on process creation events where the command line includes both the execution of hdiutil and keywords indicative of mounting operations such as 'attach' or 'mount'. While legitimate users may invoke hdiutil for standard operations, their usage should be closely monitored to minimize false positive alerts, particularly among users skilled in system administration. As this rule is categorized as experimental, it is still being refined based on real-world usage and feedback.