This detection rule identifies attempts to enable the root account on macOS systems using the 'dsenableroot' command. The rule is triggered when a process is created with an image that ends with '/dsenableroot', indicating that the command is being executed. Additionally, the rule filters out commands that contain the '-d' flag to prevent false positives from legitimate usage scenarios where root account enabling is not being attempted. By focusing on the specific command and its context, this rule effectively flags potential unauthorized attempts to escalate privileges by enabling the root account, a critical operation that can lead to further exploitation if executed by malicious actors.