From 1c2d605bb012377e4d146b81b915d8c05b0172d0 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Sat, 29 Oct 2022 11:43:58 -0400
Subject: [PATCH] Include osacompile

---
 detection/execution/unexpected-osascript-calls.sql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql
index 21d357c..f4236f8 100644
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@@ -45,7 +45,7 @@ FROM
   LEFT JOIN signature ON pp.path = signature.path
   LEFT JOIN signature esignature ON ppe.path = esignature.path
 WHERE
-  p.path = '/usr/bin/osascript'
+  p.path IN ('/usr/bin/osascript', '/usr/bin/osacompile')
   AND p.time > (strftime('%s', 'now') -60)
   AND exception_key NOT IN (
     ',,osascript',
@@ -65,5 +65,6 @@ WHERE
   )
   AND NOT cmd LIKE 'osascript -e set zoomStatus to "closed"%'
   AND NOT cmd LIKE 'osascript openChrome.applescript http://127.0.0.1:%'
+  AND NOT cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %'
 GROUP BY
   p.pid