Monitor New Processes Created On MacOS
Monitor New Processes Created On MacOS, Similar to https://github.com/DominicBreuker/pspy, and https://objective-see.com/products/utilities.html. No Dependencies Required.
Why
Needed to monitor jamf scripts commandline arguments on mac recently, jamf api keys were being used in jamf scripts that ran peroidically. Using process monitor gathered curl args and got creds which allowed full access to jamf server. Allowing privesc.
BUT
ProcessMonitor requires root access and pspy doesnt work on mac due to no /proc directory. also ps cannot really be rewritten as it wont show root processes. So this python script uses ps in a loop to gather processes since ps has SUID bit set by defalt and can see all processes.
NOTE
it wont capture everything it will miss processes that end quickly due to the nature of how