This detection rule is designed to identify potentially malicious activities involving the execution of the `hdiutil` utility on macOS systems for disk image creation. `hdiutil` is a legitimate tool used by macOS users and administrators to create and manipulate disk images. However, attackers may leverage this utility to exfiltrate data by creating images of sensitive files or system configurations. The rule specifically looks for processes where the command line includes the term 'create' and the executed image path ends with '/hdiutil'. Detection when this command is used is classified as a medium level threat due to its potential implications for data exfiltration activities. The rule does account for false positives, primarily arising from legitimate use cases by system administrators and regular users who might need to create disk images. This rule is part of a broader framework to enhance the detection of abnormal or unauthorized utilization of system utilities in the macOS environment.