The detection rule identifies the use of process environment variables, specifically DYLD_INSERT_LIBRARIES and LD_PRELOAD, which are employed by threat actors to inject malicious shared libraries into running binaries on macOS. This tactic is often associated with persistence, privilege escalation, and evasion of defenses. The environment variables allow the injection of code directly into a process's memory space, potentially undermining the security of trusted applications by manipulating their behavior. This rule utilizes EQL (Event Query Language) to trace processes started with these injected variables, targeting indicators of unexpected behavior. Given the potential severity of these injections, the rule is marked as high-risk and emphasizes the importance of comprehensive investigation and response measures to mitigate any active threats. The use of DYLD_INSERT_LIBRARIES is commonly legitimate in debugging contexts, thus false positives may arise and should be validated against known legitimate use cases before escalation.