diff --git a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml
new file mode 100644
index 000000000..3b5164f6e
--- /dev/null
+++ b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml
@@ -0,0 +1,24 @@
+title: Osacompile Execution By Potentially Suspicious Applet/Osascript
+id: a753a6af-3126-426d-8bd0-26ebbcb92254
+status: experimental
+description: Detects potential suspicious applet or osascript executing "osacompile".
+references:
+    - https://redcanary.com/blog/mac-application-bundles/
+author: Sohan G (D4rkCiph3r), Red Canary (Idea)
+date: 2023/04/03
+tags:
+    - attack.execution
+    - attack.t1059.002
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection:
+        ParentImage|endswith:
+            - '/applet'
+            - '/osascript'
+        CommandLine|contains: 'osacompile'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium