This detection rule identifies modifications made to macOS screensaver plist files by potentially unexpected or malicious processes. Adversaries often exploit these plist files to achieve persistence by creating a malicious screensaver (.saver) that executes code when activated. The rule utilizes EQL (Event Query Language) to search for plist file changes that do not correspond with expected processes (i.e., processes that generally manage or modify plist files). The query flags plist modifications for files matching 'com.apple.screensaver.*.plist' across various locations typical for such configurations in macOS. If the process modifying the file lacks a trusted code signature or is a known script interpreter, it raises an alert. Furthermore, the rule filters out processes from trusted components that are typically responsible for such changes, honing in on potentially illicit activities.