This detection rule monitors for specific behavior indicative of malicious activity on macOS systems. It specifically flags scenarios where a discovery command—such as `whoami`, `ifconfig`, or `system_profiler`—is executed from an interactive shell and subsequently, within 15 seconds, the same process modifies a suspicious file. This behavior is typically associated with malware conducting reconnaissance and then exfiltrating the collected data over the C2 channel. The rule is designed to identify potential compromises where adversaries use legitimate commands to gather system information and redirect the output to unusual locations, such as hidden files or directories like `/tmp` or `/Users/Shared`, for future data theft. The rule includes a triage and analysis section outlining investigation steps, possible false positives, and recommended response procedures, ensuring that analysts can validate genuine threats while minimizing operational disruption.