From 48317940343fefd12d9a4be5396cca1e02651cad Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 23 May 2023 11:31:58 -0400
Subject: [PATCH] Rename from missing-parent

---
 .../parent-pid-missing-from-procfs.sql        | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 detection/evasion/parent-pid-missing-from-procfs.sql

diff --git a/detection/evasion/parent-pid-missing-from-procfs.sql b/detection/evasion/parent-pid-missing-from-procfs.sql
new file mode 100644
index 0000000..69e6400
--- /dev/null
+++ b/detection/evasion/parent-pid-missing-from-procfs.sql
@@ -0,0 +1,27 @@
+-- Find a process which has a parent that is not listed in the process table
+--
+-- Works well for revealing boopkit, so long as boopkit has a child process.
+--
+-- references:
+--   * https://github.com/krisnova/boopkit
+--   * https://attack.mitre.org/techniques/T1014/ (Rootkit)
+--
+-- false positives:
+--   * Can by racy if child and parent exit at the right time
+--
+-- tags: persistent daemon
+SELECT p.*,
+  hash.sha256,
+  GROUP_CONCAT(DISTINCT pof.path) AS open_files
+FROM processes p
+  LEFT JOIN hash ON p.path = hash.path
+  LEFT JOIN process_open_files pof ON p.pid = pof.pid
+WHERE -- Prevent false positives by avoiding short-lived commands
+  p.start_time < (strftime('%s', 'now') -1)
+  AND p.parent NOT IN (
+    SELECT pid
+    FROM processes
+  )
+  AND p.parent != 0
+  AND p.parent IS NOT NULL
+GROUP BY p.pid
\ No newline at end of file