This detection rule monitors the macOS environment for unauthorized attempts to add users to the admin group via the `sysadminctl` command-line utility. The rule captures process creation events where the command line arguments signify the creation of a new user with administrative privileges. The specific focus lies in identifying any instances where the command contains the parameters `-addUser` along with `-admin`, indicating that a new user account is being created and granted admin rights. As part of a comprehensive security posture, the detection aims to flag potential privilege escalation attempts that could lead to unauthorized access within the system. The rule's implementation allows security teams to respond swiftly to questionable actions, thereby enhancing the overall integrity of the macOS environment and preventing potential exploitation of these newly created accounts.