diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index 7e812ab2871..8a98f97b534 100644
Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 19403ba0533..8304e95eccf 100644
Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 5722fd0236e..cbadd3c9f5c 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -282,5 +282,8 @@
   "metrics-*": {
     "system.process.cpu.total.norm.pct": "double",
     "system.cpu.total.norm.pct": "double"
+  },
+  "logs-unified_logs.log-*": {
+    "message": "keyword"
   }
 }
diff --git a/hunting/macos/docs/execution_do_shell_script_via_apple_events.md b/hunting/macos/docs/execution_do_shell_script_via_apple_events.md
new file mode 100644
index 00000000000..aaafdf7c374
--- /dev/null
+++ b/hunting/macos/docs/execution_do_shell_script_via_apple_events.md
@@ -0,0 +1,45 @@
+# Do Shell Script Execution via Apple Events
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies `do shell script` execution via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type `syso,exec` corresponds to the `do shell script` command, which allows AppleScript to execute arbitrary shell commands. While `do shell script` has many legitimate uses, it is heavily abused by macOS stealers to run shell commands for reconnaissance, credential theft, data exfiltration, and payload execution. This hunt returns hosts and event counts for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript.
+
+- **UUID:** `447987db-4501-416b-b3b3-9176871a6b20`
+- **Integration:** [unified_logs](https://docs.elastic.co/integrations/unified_logs)
+- **Language:** `[ES|QL]`
+- **Source File:** [Do Shell Script Execution via Apple Events](../queries/execution_do_shell_script_via_apple_events.toml)
+
+## Query
+
+```sql
+FROM logs-unified_logs.log-*
+| WHERE @timestamp > NOW() - 7 day
+| WHERE host.os.type == "macos" AND event.dataset == "unified_logs.log" AND message LIKE "*syso,exec*"
+| STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
+| WHERE event_count >= 3
+| SORT event_count DESC
+```
+
+## Notes
+
+- This hunt returns hosts with `syso,exec` Apple Events aggregated by host and count, sorted by highest count.
+- A high volume of `do shell script` executions from a single host may indicate automated malicious activity or stealer malware running shell commands in bulk.
+- Pivot by `host.name` and review the `message` field contents to understand what shell commands are being executed.
+- Correlate with other Apple Event types (`syso,dlog`, `Jons,gClp`, `syso,ntoc`) on the same host to identify potential stealer activity chains.
+- If private data is enabled in Unified Logs, the `message` field may contain the actual shell command being executed, providing additional triage context.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.002](https://attack.mitre.org/techniques/T1059/002)
+
+## References
+
+- https://pberba.github.io/security/2026/02/21/aemonitor/
+- https://www.elastic.co/docs/reference/integrations/unifiedlogs
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
new file mode 100644
index 00000000000..175d6b44e6d
--- /dev/null
+++ b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
@@ -0,0 +1,37 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies `do shell script` execution via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple
+Event type `syso,exec` corresponds to the `do shell script` command, which allows AppleScript to execute arbitrary shell
+commands. While `do shell script` has many legitimate uses, it is heavily abused by macOS stealers to run shell commands
+for reconnaissance, credential theft, data exfiltration, and payload execution. This hunt returns hosts and event counts
+for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript. This
+detection leverages the `com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+integration = ["unifiedlogs"]
+uuid = "447987db-4501-416b-b3b3-9176871a6b20"
+name = "Do Shell Script Execution via Apple Events"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "This hunt returns hosts with `syso,exec` Apple Events aggregated by host and count, sorted by highest count.",
+    "A high volume of `do shell script` executions from a single host may indicate automated malicious activity or stealer malware running shell commands in bulk.",
+    "Pivot by `host.name` and review the `message` field contents to understand what shell commands are being executed.",
+    "Correlate with other Apple Event types (`syso,dlog`, `Jons,gClp`, `syso,ntoc`) on the same host to identify potential stealer activity chains.",
+    "If private data is enabled in Unified Logs, the `message` field may contain the actual shell command being executed, providing additional triage context.",
+]
+mitre = ["T1059.002"]
+query = [
+'''
+FROM logs-unifiedlogs.unifiedlogs-*
+| WHERE @timestamp > NOW() - 7 day
+| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.log" AND apple_event.type_code == "syso,exec"
+| STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
+| WHERE event_count >= 3
+| SORT event_count DESC
+'''
+]
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
new file mode 100644
index 00000000000..68b545d6c3f
--- /dev/null
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -0,0 +1,99 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects clipboard data access via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type
+`Jons,gClp` corresponds to the `the clipboard` or `get the clipboard` AppleScript command, which retrieves the contents
+of the system clipboard. macOS stealers commonly access clipboard data to harvest cryptocurrency wallet addresses,
+passwords, sensitive tokens, or other data the user has recently copied. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Clipboard manager applications, productivity tools, and text processing utilities may legitimately access clipboard
+    contents via AppleScript. Review the source process and context to determine if the activity is expected.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Clipboard Access via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Clipboard Access via AppleScript
+
+This rule detects the `Jons,gClp` Apple Event, which indicates an AppleScript accessed the system clipboard. Clipboard access is a common technique used by macOS stealers to harvest sensitive data such as cryptocurrency wallet addresses, passwords, or tokens.
+
+### Possible investigation steps
+
+- Review the `message` field for the full Apple Event debug output to understand the clipboard access context.
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for related Apple Events on the same host, such as `syso,exec` (shell execution) or network connections, which may indicate exfiltration of clipboard contents.
+- Check for recent `syso,dlog` (display dialog) events that may indicate a fake prompt was used to trick the user into copying sensitive data.
+- Review the host for known stealer malware indicators, unauthorized scripts, or recently modified files.
+- Check if the clipboard access coincides with the user interacting with sensitive applications (password managers, cryptocurrency wallets, banking sites).
+
+### False positive analysis
+
+- Clipboard manager applications (e.g., Paste, CopyClip) frequently access clipboard contents.
+- Productivity tools and text editors with clipboard integration may trigger this rule.
+- Automation workflows (Shortcuts, Automator) that process clipboard data.
+
+### Response and remediation
+
+- If clipboard access is determined to be malicious, assume sensitive data may have been captured and take appropriate action (rotate credentials, move cryptocurrency funds, etc.).
+- Isolate the affected host and investigate the full attack chain.
+- Remove any malicious scripts, applications, or persistence mechanisms.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "28fd38cf-43c0-4904-b756-8ed9694e8f13"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Collection",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "Jons,gClp"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1115"
+name = "Clipboard Data"
+reference = "https://attack.mitre.org/techniques/T1115/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "apple_event.type_code",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
new file mode 100644
index 00000000000..a33cefcb459
--- /dev/null
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the use of AppleScript's `display dialog` with hidden text input (`htxt=true`) via macOS Unified Logs Apple Event
+telemetry. The Apple Event type `syso,dlog` corresponds to the AppleScript `display dialog` command, and the `htxt=true`
+parameter indicates the dialog is configured to mask user input, which is characteristic of a password prompt. While this
+pattern has legitimate uses in authentication workflows and IT tooling, it is also commonly abused by macOS stealers to
+present deceptive credential harvesting dialogs. Triage should focus on identifying the source process and determining
+whether the prompt is part of an expected application workflow. This detection leverages the `com.apple.appleevents`
+subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications or scripts may use `display dialog` with hidden text input for password prompts. Review the
+    source process and the context of the dialog to determine if the activity is expected. Common legitimate uses include
+    IT administration scripts, password managers, or application authentication flows.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Hidden Text Password Prompt via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Hidden Text Password Prompt via AppleScript
+
+This rule detects AppleScript `display dialog` commands configured with hidden text input. The Apple Event `syso,dlog` with `htxt=true` in macOS Unified Logs indicates a dialog box designed to capture sensitive input such as passwords. This pattern has legitimate uses but is also a known technique used by macOS stealers to harvest credentials via deceptive prompts.
+
+### Possible investigation steps
+
+- Review the `message` field to examine the full Apple Event debug output, including any dialog text (`dtxt`) that may reveal the prompt message shown to the user.
+- Identify the source process responsible for the Apple Event by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Check for related Apple Events in the same time window from the same host, such as `syso,exec` (do shell script) or network activity, which may indicate post-credential-harvest exfiltration.
+- Investigate whether the dialog text references system-level prompts (e.g., "System Preferences", "Keychain", "macOS Update") commonly impersonated by stealers.
+- Review the host for recently installed or modified applications, scripts, or LaunchAgents that could be the source of the AppleScript execution.
+
+### False positive analysis
+
+- IT administration tools may use AppleScript dialogs for legitimate authentication workflows. Verify the source application and whether it is part of standard IT tooling.
+- Password managers or security tools may trigger this pattern when prompting for master passwords.
+- Developer or automation scripts may use `display dialog` with hidden input for internal tooling.
+
+### Response and remediation
+
+- If the prompt is determined to be malicious, immediately isolate the affected host to prevent credential exfiltration.
+- Reset any credentials that may have been entered into the dialog.
+- Identify and remove the malicious script, application, or persistence mechanism responsible for the prompt.
+- Check for lateral movement or additional compromised hosts using the same technique.
+- Review endpoint telemetry for evidence of data exfiltration following the credential capture.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "699f3a9b-4e4c-43ce-b612-04580766c69f"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Credential Access",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "syso,dlog"
+  AND apple_event.parameters == "htxt"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.parameters, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1056"
+name = "Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/"
+[[rule.threat.technique.subtechnique]]
+id = "T1056.002"
+name = "GUI Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/002/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
new file mode 100644
index 00000000000..154f4b16acb
--- /dev/null
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -0,0 +1,120 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects AppleScript ASCII character obfuscation followed by script execution via macOS Unified Logs Apple Event
+telemetry. The Apple Event type `syso,ntoc` corresponds to the AppleScript `ASCII character` function, which converts
+integer values to characters. When multiple `syso,ntoc` events are observed in rapid succession followed by `syso,exec`
+(do shell script) or `syso,dsct` (run script), it indicates an attacker is building obfuscated command strings
+character-by-character before execution. This is a common evasion technique used by macOS stealers to bypass static
+string-based detection of malicious commands. This detection leverages the `com.apple.appleevents` subsystem debug logs
+and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Some legitimate AppleScript-based tools or utilities may use ASCII character conversion for text processing. However,
+    the combination of repeated ASCII character conversions followed by shell execution is uncommon in legitimate usage.
+    Review the source process and context to determine if the activity is expected.
+    """,
+]
+from = "now-9m"
+index = ["logs-unifiedlogs.unifiedlogs-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "AppleScript ASCII Character Obfuscation and Shell Execution"
+note = """## Triage and analysis
+
+### Investigating AppleScript ASCII Character Obfuscation and Shell Execution
+
+This rule detects a pattern where multiple AppleScript `ASCII character` conversions (`syso,ntoc` events) are followed by script or shell execution. This technique is used by macOS stealers to evade detection by building malicious command strings one character at a time instead of using plaintext strings.
+
+### Possible investigation steps
+
+- Review the `message` fields across the sequence to understand what characters were being converted (the integer values may reveal the reconstructed command).
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for the resulting `syso,exec` or `syso,dsct` event to understand what command was ultimately executed.
+- Check for network connections, file writes, or credential access events following the execution.
+- Review the host for known stealer malware indicators, unauthorized `.scpt` files, or recently modified LaunchAgents/LaunchDaemons.
+- Attempt to reconstruct the obfuscated command by collecting all `syso,ntoc` events in the sequence and mapping the integer parameters to ASCII characters.
+
+### False positive analysis
+
+- Legitimate text processing scripts that convert character codes are uncommon but possible. The key differentiator is the sequence of multiple conversions followed by shell execution.
+- Developer tools that generate or transform text using ASCII values may trigger this rule if they also execute the result.
+
+### Response and remediation
+
+- If the obfuscated command is determined to be malicious, immediately isolate the affected host.
+- Identify and remove the source script or application responsible for the obfuscated execution.
+- Review what was executed via the `syso,exec`/`syso,dsct` event and assess the impact (credential theft, data exfiltration, persistence, etc.).
+- Check for persistence mechanisms installed by the executed payload.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "4c37d695-95e2-4ed8-a567-8a24f28a1028"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Defense Evasion",
+    "Tactic: Execution",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=30s
+  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
+  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and
+    apple_event.type_code in ("syso,exec", "syso,dsct")]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
new file mode 100644
index 00000000000..99474760eed
--- /dev/null
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -0,0 +1,128 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects AppleScript `run script` execution referencing a hidden file in a common staging directory via macOS Unified Logs
+Apple Event telemetry. The Apple Event type `syso,dsct` corresponds to the `run script` command. This rule matches
+UTF-16LE hex-encoded paths for hidden files (dot-prefixed) in `/tmp/`, `/private/tmp/`, `/var/tmp/`, and `/Users/Shared/`.
+macOS stealers commonly stage obfuscated or secondary-stage scripts as hidden files in these world-writable directories
+before executing them via `run script` to evade casual inspection and file-based detection. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications rarely use `run script` to execute hidden files from temporary or shared directories. If this
+    activity is observed, investigate the source process and the contents of the referenced file. Automated build or CI/CD
+    processes running on macOS endpoints may occasionally use temporary hidden files for script staging.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "AppleScript Run Script from Hidden File in Staging Directory"
+note = """## Triage and analysis
+
+### Investigating AppleScript Run Script from Hidden File in Staging Directory
+
+This rule detects the `run script` AppleScript command (`syso,dsct` Apple Event) targeting a hidden file in common staging directories (`/tmp/`, `/private/tmp/`, `/var/tmp/`, `/Users/Shared/`). The path appears in the Apple Event debug output as a UTF-16LE hex-encoded string. Stealers commonly write obfuscated or secondary-stage scripts as hidden files in these world-writable directories before executing them.
+
+### Possible investigation steps
+
+- Review the `message` field to extract the full hex-encoded file path and decode it to identify the exact hidden file being executed.
+- Check if the hidden file still exists on disk at the decoded path (e.g., `/tmp/.payload.scpt`, `/Users/Shared/.stage2.scpt`) and analyze its contents.
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for preceding file write events to the staging directory that created the hidden file, particularly from `curl`, `wget`, `osascript`, or other download/scripting tools.
+- Check for subsequent Apple Events such as `syso,exec` (shell execution), `Jons,gClp` (clipboard access), or `syso,dlog` (dialog display) that may indicate the payload's actions.
+- Review network connections from the host around the time of execution for data exfiltration indicators.
+
+### False positive analysis
+
+- Legitimate use of `run script` with hidden files in temporary or shared directories is very uncommon. This pattern is a strong indicator of malicious activity.
+- Some development or build tools may stage scripts in these directories but rarely as hidden files.
+
+### Response and remediation
+
+- Immediately isolate the affected host as this is a strong indicator of active malware execution.
+- Recover and analyze the hidden script file before it is cleaned up.
+- Identify the full attack chain: how the file was created, what it executed, and what data may have been compromised.
+- Remove any persistence mechanisms and malicious files identified during investigation.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "30c1662e-b7c7-4210-abd5-2a9a544cab78"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Execution",
+    "Tactic: Defense Evasion",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos"
+  AND apple_event.type_code IN ("syso,dsct", "syso,exec")
+  AND (
+    apple_event.decoded_payloads LIKE "*/tmp/.*" OR
+    apple_event.decoded_payloads LIKE "*/private/tmp/.*" OR
+    apple_event.decoded_payloads LIKE "*/var/tmp/.*" OR
+    apple_event.decoded_payloads LIKE "*/Users/Shared/.*"
+  )
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.decoded_payloads, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+[[rule.threat.technique.subtechnique]]
+id = "T1564.001"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
new file mode 100644
index 00000000000..799e9eb33ca
--- /dev/null
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -0,0 +1,104 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the use of AppleScript to mute the system volume via macOS Unified Logs Apple Event telemetry. The Apple Event
+type `aevt,stvl` corresponds to the `set volume` command, and the presence of `mute=true` indicates the system audio is
+being silenced. macOS stealers commonly mute the system volume before executing noisy operations (e.g., launching
+applications, playing audio, or triggering system sounds) to avoid alerting the user. This is a low-fidelity indicator
+that should be correlated with other suspicious AppleScript activity on the same host. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications, accessibility tools, or user automation scripts may use AppleScript to control system volume.
+    Media applications, presentation software, and meeting tools commonly adjust volume settings programmatically.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Volume Mute via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Volume Mute via AppleScript
+
+This rule detects the `set volume` AppleScript command with mute parameter via Apple Event telemetry. While volume control is a common legitimate operation, it is frequently observed as a pre-indicator in macOS stealer malware that silences the system before performing noisy malicious operations.
+
+### Possible investigation steps
+
+- Review the `message` field for the full Apple Event debug output to confirm the mute operation details.
+- Correlate with other Apple Event activity on the same host within a short time window, particularly `syso,exec` (shell execution), `syso,dlog` (dialog display), or `Jons,gClp` (clipboard access).
+- Identify the source process responsible for the Apple Event by correlating timestamps with process execution logs.
+- Check for recently installed or modified applications, `.scpt` files, or osascript invocations on the host.
+- Look for subsequent suspicious activity such as credential harvesting, clipboard access, or data exfiltration.
+
+### False positive analysis
+
+- Media players, video conferencing tools, and presentation software commonly control volume programmatically.
+- Accessibility tools and hearing aid integrations may adjust volume settings.
+- User-created Automator workflows or Shortcuts that control system volume.
+
+### Response and remediation
+
+- If correlated with other suspicious AppleScript activity, treat as part of a potential stealer infection and investigate the full attack chain.
+- Isolate the host if additional indicators of compromise are identified.
+- Review and remove any unauthorized scripts, applications, or persistence mechanisms.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 21
+rule_id = "bd087b7b-3671-4f47-8db7-14e77635877a"
+severity = "low"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Execution",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "aevt,stvl"
+  AND apple_event.mute == true
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.mute, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]