This rule is designed to detect the execution of built-in macOS commands that adversaries may leverage to dump user account hashes. Capturing such hashes provides attackers with potential access to account login information that can either be cracked for password retrieval or used directly for lateral movement across networks. The detection leverages queries to identify suspicious processes related to the commands `defaults` and `mkpassdb` specifically when accompanied by arguments such as `ShadowHashData` or `-dump`. High severity is assigned to this detection due to the significant risk associated with credential dumping activities. The rule emphasizes a need for integration with Elastic Defend, ensuring that the Elastic Agent is correctly configured to monitor processes and events for such malicious activities. Investigation steps involve examining user account logs, identifying the origin of the commands executed, and evaluating network connections that could indicate data exfiltration. Furthermore, false positives may arise from legitimate administrative tasks, necessitating ongoing vigilance and the establishment of exceptions for recognized operational procedures. Recommendations for response include isolating affected systems, terminating malicious processes, auditing user accounts, and enhancing monitoring capabilities to detect similar incidents in the future.