This detection rule identifies potential persistence mechanisms employed by adversaries through modification of Folder Action scripts on macOS systems. Folder Action scripts allow automation of actions such as executing scripts upon changes to folder contents. The rule raises an alert when malicious scripts that could establish persistence are executed. Specifically, it monitors processes initiated by 'com.apple.foundation.UserScriptService' that invoke certain script interpreters, excluding known benign scripts from trusted applications such as iTerm2 and Microsoft Office. By utilizing this detection, security teams can identify suspicious activities that may indicate exploitation of folder actions for malicious purposes, facilitating timely investigations and responses to threats.