This detection rule is designed to identify suspicious command-line actions on macOS systems, particularly focusing on the execution of built-in commands for mounting Server Message Block (SMB) network shares. Adversaries can exploit SMB to perform lateral movement within networks by utilizing valid accounts to access remote network resources. The rule analyzes process events where the operating system type is macOS, filtering for specific command invocations that suggest unauthorized attempts to mount SMB shares. It ignores processes from trusted applications like Google Drive to minimize false positives. The investigation process encourages analysts to confirm the legitimacy of the commands, scrutinize user accounts involved, and track IP addresses related to SMB connections. Remediation instructions emphasize immediate isolation of affected systems and verification of user credentials. The rule employs a risk score of 21, categorizing it as a low-severity threat related to lateral movement tactics.