This detection rule targets potential AMOS Stealer malware activity under macOS environments, specifically during virtual machine checks. It employs `osquery` to monitor process events for anomalous invocations of the `osascript` command which are characteristic of AMOS Stealer. This malware has been observed using such command-line patterns to ascertain if the host is running in a virtual environment (like VMware or QEMU). Identification of this behavior indicates an existing infection, permitting attackers to execute arbitrary code, escalate privileges, capture sensitive information, and maintain persistence in compromised systems, thus posing a severe security threat.