This rule detects potential misuse of the 'dscl' command on macOS systems by identifying instances where it is executed with the 'authonly' option from atypical shell or AppleScript-based processes. Threat actors may use this method to verify local credentials without actually logging into the system, thereby enhancing their ability to validate passwords, escalate privileges, or enumerate accounts. By monitoring the execution of 'dscl authonly' from processes that originate from 'sh' or 'osascript', this detection rule effectively targets malicious activity linked to tools like Atomic Stealer. The Splunk logic used captures relevant events and values associated with the processes in question, allowing for focused investigation and response to potential credential abuses.