This detection rule identifies the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent, on macOS systems. MeshAgent is widely used by IT professionals for legitimate purposes, such as remote assistance and system management. However, malicious actors can exploit this software by renaming it to evade detection systems, thus gaining unauthorized control over target machines. The rule analyzes process creation events and looks for specific command line arguments that indicate the presence of a renamed MeshAgent instance. The use of command line parameters like '--meshServiceName' and original filenames containing 'meshagent' form the basis of the detection logic. The rule is designed to produce alerts when it identifies such suspicious executions that do not match the standard operation of MeshAgent, helping to mitigate the risk posed by these deceptive techniques.