This detection rule identifies the creation of hidden property list (plist) files associated with macOS LaunchAgents or LaunchDaemons, which adversaries might use to establish persistence on a system, allowing malicious programs to execute at user login or system startup. These hidden plist files, with names starting with a dot (.), evade standard visibility in directory listings, making them particularly stealthy. The rule targets macOS environments by utilizing EQL to scan for suspicious file paths across specific system directories known for LaunchAgents and LaunchDaemons. The detection logic explicitly excludes known benign patterns to minimize false positives. When triggered, it prompts further investigation into the context of the file creation, potential malicious behavior, and corresponding remediation steps, which may include unloading or deleting the detected plist files and relevant binaries.