Merge pull request #32 from tstromberg/osascript

osascript: Add parent signing information
2024-12-14 01:54:32 +00:00 · 2022-10-24 11:10:59 -04:00 · 2022-10-24 11:10:59 -04:00 · d6e70ebcc3
commit d6e70ebcc3
parent ed84a59a66 a7c26908db
1 changed files with 11 additions and 10 deletions
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -15,24 +15,25 @@ SELECT
  p.euid,
  p.parent,
  p.syscall,
  hash.sha256,
  pp.path AS parent_path,
  pp.name AS parent_name,
-  TRIM(p.cmdline) AS parent_cmd,
+  TRIM(pp.cmdline) AS parent_cmd,
  pp.euid AS parent_euid,
-  phash.sha256 AS parent_sha256
+  hash.sha256 AS parent_sha256,
  signature.identifier AS parent_identifier,
  signature.authority AS parent_auth,
  CONCAT(signature.identifier, ",", signature.authority, ",", SUBSTR(TRIM(p.cmdline), 0, 54)) AS exception_key
 FROM
  uptime,
  process_events p
  LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN hash ON p.path = hash.path
+  LEFT JOIN hash ON pp.path = hash.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  LEFT JOIN signature ON pp.path = signature.path
 WHERE
  p.path = '/usr/bin/osascript'
  AND p.time > (strftime('%s', 'now') -60)
-  AND NOT cmd LIKE 'osascript -e set zoomStatus%'
+  AND exception_key != 'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss'
-  AND NOT cmd LIKE 'osascript openChrome.applescript http://127.0.0.1:%'
+  AND cmd != 'osascript -e user locale of (get system info)'
-  AND NOT cmd IN (
+  AND NOT (
-    'osascript -e user locale of (get system info)',
+    exception_key='org.python.python,,osascript' AND parent_cmd LIKE '% /opt/homebrew/bin/jupyter-notebook'
    'osascript'
  )