This rule is designed to detect the execution of MeshAgent, a remote access tool that has been known to be exploited by threat actors to maintain persistent access to compromised MacOS systems. The detection is primarily based on the command line arguments used during the process creation phase. Specifically, it looks for the presence of the argument '--meshServiceName' in the command line, which is indicative of MeshAgent being employed for remote access activities. Historical evidence has demonstrated that attackers often rename the MeshAgent binary to avoid detection, which can complicate the identification of unauthorized use. This rule aims to improve the chances of detecting such scenarios by focusing on significant command-line arguments that are consistent with the operational behavior of MeshAgent. Organizations utilizing this rule should be aware of the potential for false positives in legitimate environments where MeshAgent is used consensually for remote management tasks.