The rule titled 'Attempt to Install Root Certificate' is designed to detect unauthorized installation of root certificates on macOS systems, which threat actors may utilize to bypass security warnings and establish trust with their command-and-control (C2) servers. Such root certificates allow adversaries to enable encrypted communications without raising alarms, thereby compromising the integrity of secure communications. This detection is achieved by monitoring system process events that involve the 'security' command with the 'add-trusted-cert' argument while excluding known legitimate applications like Bitdefender to reduce false positives. The rule leverages data from Elastic Defend integrated with the Elastic Agent to track these suspicious activities effectively. Upon triggering, the detection rule provides a pathway for investigation, including assessing the legitimacy of the user account involved, reviewing related process behaviors, and checking for any communication with known malicious IPs or domains. The successful identification of such events enables security teams to take immediate action, such as isolating the affected host, revoking unauthorized certificates, and enhancing overall monitoring procedures to prevent similar occurrences in the future.