This detection rule monitors for attempts to enable the guest account on macOS systems through the use of the sysadminctl utility. The rule specifically captures process creation events where the sysadminctl command is executed with parameters indicating that the guest account is being turned on. By analyzing the command line arguments, the rule focuses on instances where the command includes both ' -guestAccount' and ' on', making it a targeted detection for potential unauthorized access methods. This behavior could signify a malicious actor attempting to increase their access level by enabling guest access, which is typically disabled for security reasons. Given the potential for abuse, the rule is important for maintaining secure system configurations and preventing unauthorized user access.