From 5e3d1d22bda3d118a7db812ad97965d5ed250a74 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Wed, 20 Sep 2023 18:24:40 -0400
Subject: [PATCH] Simplify execution queries

---
 Makefile                                      | 2 +-
 detection/execution/exotic-commands-linux.sql | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 0a2914b..eb19d7a 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ out/odk-detection-evasion.conf: out/osqtool-$(ARCH) $(wildcard detection/evasion
 	./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-evasion.conf pack detection/evasion
 
 out/odk-detection-execution.conf: out/osqtool-$(ARCH) $(wildcard detection/execution/*.sql)
-	./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-execution.conf pack detection/execution
+	./out/osqtool-$(ARCH) --max-query-duration=8s --verify -output out/odk-detection-execution.conf pack detection/execution
 
 out/odk-detection-exfil.conf: out/osqtool-$(ARCH) $(wildcard detection/exfil/*.sql)
 	./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-exfil.conf pack detection/exfil
diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql
index 2bc6435..1fe1b60 100644
--- a/detection/execution/exotic-commands-linux.sql
+++ b/detection/execution/exotic-commands-linux.sql
@@ -103,9 +103,6 @@ WHERE
       p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
       AND NOT p1.name = 'limactl'
     ) -- Crypto miners
-    OR p0.cmdline LIKE '%c3pool%'
-    OR p0.cmdline LIKE '%cryptonight%'
-    OR p0.cmdline LIKE '%f2pool%'
     OR p0.cmdline LIKE '%hashrate%'
     OR p0.cmdline LIKE '%hashvault%'
     OR p0.cmdline LIKE '%minerd%'