2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
|
p.pid,
|
|
|
|
|
p.name,
|
|
|
|
|
p.path,
|
|
|
|
|
f.mode,
|
|
|
|
|
f.uid,
|
|
|
|
|
f.gid,
|
|
|
|
|
hash.sha256,
|
|
|
|
|
pp.name AS parent_name,
|
|
|
|
|
pp.path AS parent_path,
|
|
|
|
|
pp.cmdline AS parent_cmd,
|
|
|
|
|
hash.sha256 AS parent_sha256
|
|
|
|
|
FROM
|
|
|
|
|
processes p
|
|
|
|
|
JOIN file f ON p.path = f.path
|
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
|
|
|
LEFT JOIN processes pp ON pp.pid = p.parent
|
|
|
|
|
WHERE
|
|
|
|
|
f.mode NOT IN (
|
2022-09-14 14:51:56 +00:00
|
|
|
'0500',
|
|
|
|
|
'0544',
|
2022-09-08 21:58:56 +00:00
|
|
|
'0555',
|
2022-09-14 14:51:56 +00:00
|
|
|
'0711',
|
|
|
|
|
'0755',
|
2022-09-08 21:58:56 +00:00
|
|
|
'0775',
|
2022-09-24 15:07:34 +00:00
|
|
|
'6755',
|
|
|
|
|
'0700',
|
2022-09-14 14:51:56 +00:00
|
|
|
'2755',
|
2022-09-08 21:58:56 +00:00
|
|
|
'4511',
|
2022-09-14 14:51:56 +00:00
|
|
|
'4555',
|
|
|
|
|
'4755'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
f.path = '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService'
|
|
|
|
|
AND f.mode = '0777'
|
|
|
|
|
AND f.uid > 500
|
|
|
|
|
)
|
