The CrowdStrike MacOS plutil Novel Plist Modification detection rule aims to identify anomalous modifications made to plist files on macOS devices via the 'plutil' command. The rule is designed to trigger when a modification operation (insert, replace, remove, create) occurs on plist files that have not been modified in the past 30 days. By excluding read-only operations like convert, print, or lint, the rule significantly reduces false positives, targeting potential persistence attempts through plist files. The detection is based on behavioral analysis, allowing security teams to focus on novel activities rather than frequent legitimate modifications, particularly in sensitive directories such as /Applications/ and LaunchAgents/LaunchDaemons. The rule incorporates a medium severity rating and a 24-hour deduplication period to ensure effective monitoring without overwhelming alerts. A comprehensive runbook provides actionable steps for verification and incident response if a modification is deemed suspicious, including user context assessment and digital forensic analysis for malicious content.