From 2c783f17f43f0131f2a341bf97a3eed7aa2b1421 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 12 Dec 2023 12:56:09 -0500
Subject: [PATCH] exotic events linux: remove uptime join, use empty string

---
 .../execution/exotic-command-events-linux.sql | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
index 08f4278..614e0f2 100644
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -9,10 +9,10 @@
 -- tags: transient process events
 -- platform: linux
 -- interval: 600
-SELECT
-  -- Child
+SELECT -- Child
   pe.path AS p0_path,
   pe.time AS p0_time,
+  pe.uptime AS p0_uptime,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
   TRIM(pe.cmdline) AS p0_cmd,
   pe.cwd AS p0_cwd,
@@ -43,26 +43,26 @@ SELECT
     '.*/(.*)',
     1
   ) AS exception_key
-FROM
-  process_events pe,
-  uptime
+FROM process_events pe
   LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths)
   LEFT JOIN processes p1 ON pe.parent = p1.pid
   AND p1.start_time <= pe.time
   LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
   LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
   AND pe1.time <= pe.time
-  AND pe1.cmdline != ''
+  AND pe1.cmdline != ""
+  AND pe1.cwd != ""
   LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path -- Grandparents (via 3 paths)
   LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
   AND p1_p2.start_time <= p1.start_time
   LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
   AND pe1_p2.start_time <= pe1.time
   LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
-  AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
-WHERE
-  pe.time > (strftime('%s', 'now') -600)
-  AND pe.cmdline != ''
+  AND pe1_pe2.cmdline != ""
+  AND pe1_pe2.cwd != ""
+WHERE pe.time > (strftime('%s', 'now') -600)
+  AND pe.cmdline != ""
+  AND pe.cwd != ""
   AND (
     p0_name IN (
       'bitspin',
@@ -168,7 +168,7 @@ WHERE
   )
   AND NOT (
     pe.path IN ('/usr/bin/kmod', '/bin/kmod')
-    AND uptime.total_seconds < 15
+    AND pe.uptime < 15
   )
   AND NOT (
     pe.path = '/usr/bin/mkfifo'
@@ -202,4 +202,4 @@ WHERE
     'nc,500,fish,konsole',
     'chrome_crashpad_handler,500,systemd,systemd',
     'bash,0,bash,containerd-shim-runc-v2'
-  )
+  )
\ No newline at end of file