Loading

Volume Mute via AppleScript

Detects the use of AppleScript to mute the system volume via macOS Unified Logs Apple Event telemetry. The Apple Event type aevt,stvl corresponds to the set volume command, and the presence of mute=true indicates the system audio is being silenced. macOS stealers commonly mute the system volume before executing noisy operations (e.g., launching applications, playing audio, or triggering system sounds) to avoid alerting the user. This is a low-fidelity indicator that should be correlated with other suspicious AppleScript activity on the same host. This detection leverages the com.apple.appleevents subsystem debug logs and does not require private data enablement.

Rule type: esql
Rule indices:

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: macOS
  • Data Source: macOS Unified Logs
  • Data Source: Unified Logs
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Execution
  • Rule Type: BBR

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule detects the set volume AppleScript command with mute parameter via Apple Event telemetry. While volume control is a common legitimate operation, it is frequently observed as a pre-indicator in macOS stealer malware that silences the system before performing noisy malicious operations.

  • Review the message field for the full Apple Event debug output to confirm the mute operation details.
  • Correlate with other Apple Event activity on the same host within a short time window, particularly syso,exec (shell execution), syso,dlog (dialog display), or Jons,gClp (clipboard access).
  • Identify the source process responsible for the Apple Event by correlating timestamps with process execution logs.
  • Check for recently installed or modified applications, .scpt files, or osascript invocations on the host.
  • Look for subsequent suspicious activity such as credential harvesting, clipboard access, or data exfiltration.
  • Media players, video conferencing tools, and presentation software commonly control volume programmatically.
  • Accessibility tools and hearing aid integrations may adjust volume settings.
  • User-created Automator workflows or Shortcuts that control system volume.
  • If correlated with other suspicious AppleScript activity, treat as part of a potential stealer infection and investigate the full attack chain.
  • Isolate the host if additional indicators of compromise are identified.
  • Review and remove any unauthorized scripts, applications, or persistence mechanisms.
FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "aevt,stvl"
  AND apple_event.mute == true
| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.mute, message

Framework: MITRE ATT&CK