Merge pull request #115 from tstromberg/less-false2

Remove false positives, fix queries that failed to show a parent pid

detection/c2/unexpected-talkers-linux.sql

@@ -95,6 +95,7 @@ WHERE
     '22,6,500,/home/terraform,500u,500g,terraform',
     '22,6,500,/usr/cargo,0u,0g,cargo',
     '22,6,500,/usr/ssh,0u,0g,ssh',
+    '27020,6,500,/home/steam,500u,500g,steam',
     '27022,6,500,/home/steam,500u,500g,steam',
     '27034,6,500,/home/steam,500u,100g,steam',
     '27035,6,500,/home/steam,500u,100g,steam',
@@ -134,6 +135,7 @@ WHERE
     '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '80,6,0,/usr/wget,0u,0g,wget',
     '80,6,105,/usr/http,0u,0g,http',
+    '80,6,500,/app/signal-desktop,u,g,signal-desktop',
     '80,6,500,/app/spotify,u,g,spotify',
     '80,6,500,/app/thunderbird,u,g,thunderbird',
     '80,6,500,/home/mconvert,500u,500g,mconvert',
@@ -152,10 +154,12 @@ WHERE
     '80,6,500,/usr/gnome-software,0u,0g,gnome-software',
     '80,6,500,/usr/pacman,0u,0g,pacman',
     '80,6,500,/usr/python3.10,0u,0g,yum',
+    '8080,6,500,/usr/python3.11,0u,0g,speedtest-cli',
     '80,6,500,/usr/python3.11,0u,0g,abrt-action-ins',
     '80,6,500,/usr/rpi-imager,0u,0g,rpi-imager',
     '80,6,500,/usr/signal-desktop,0u,0g,signal-desktop',
     '80,6,500,/usr/thunderbird,0u,0g,thunderbird',
+    '8080,6,500,/usr/speedtest,500u,500g,speedtest',
     '8080,6,500,/opt/chrome,0u,0g,chrome',
     '8080,6,500,/usr/firefox,0u,0g,firefox',
     '8443,6,500,/opt/chrome,0u,0g,chrome',

detection/evasion/empty_root_environ_linux.sql

@@ -57,6 +57,7 @@ WHERE
   AND NOT p.cmdline LIKE '%--type=zygote%'
   AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'
   AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
+  AND NOT (p.name = 'sh' AND p.cgroup_path='/system.slice/znapzend.service')
 GROUP BY
   p.pid
 HAVING

detection/evasion/hidden-cwd.sql

@@ -54,25 +54,26 @@ WHERE
   dir LIKE '%/.%'
   AND NOT (
     exception_key IN (
-      'bash,~/.local/share',
+      'as,~/.cache/yay',
       'bash,~/go/src',
+      'bash,~/.local/share',
+      'bash,~/.Trash',
+      'cc1plus,~/.cache/yay',
+      'c++,~/.cache/yay',
+      'cgo,~/.gimme/versions',
+      'dirhelper,/private/var/folders',
       'Electron,~/.vscode/extensions',
       'fish,~/.local/share',
-      'git,~/.local/share',
-      'makepkg,~/.cache/yay',
-      'zsh,~/.Trash',
-      'cgo,~/.gimme/versions',
-      'bash,~/.Trash',
       'fish,~/.Trash',
-      'make,~/.cache/yay',
+      'git,~/.local/share',
       'java,~/.gradle/daemon',
       'java,~/.local/share',
-      'rust-analyzer-p,~/.cargo/registry',
+      'make,~/.cache/yay',
-      'as,~/.cache/yay',
+      'makepkg,~/.cache/yay',
-      'c++,~/.cache/yay',
+      'mysqld,~/.local/share',
-      'cc1plus,~/.cache/yay',
       'npm install,~/.npm/_cacache',
-      'mysqld,~/.local/share'
+      'rust-analyzer-p,~/.cargo/registry',
+      'zsh,~/.Trash'
     )
     OR exception_key LIKE '%sh,~/.Trash/%'
     OR dir IN (

detection/evasion/missing-from-disk-macos.sql

@@ -58,6 +58,7 @@ WHERE
       OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
       OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
       OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
+      OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
       OR cmd LIKE '/opt/homebrew/opt/%'
       OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
       OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :(

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -56,6 +56,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
     'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
     ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501', -- thanks Jed!
     ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
+    'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
     'Software Signing,com.apple.bootpd,/usr/libexec/bootpd,0',
     'Software Signing,com.apple.configd,/usr/libexec/configd,0',
     'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',

detection/evasion/unexpected-dev-executables-linux.sql

@@ -62,7 +62,6 @@ WHERE
   )
   AND NOT (
     file.uid = 1000
-    AND file.gid = 100
     AND file.mode = '0755'
     AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%'
     AND file.size > 1000000

detection/execution/exotic-command-events-linux.sql

@@ -76,7 +76,10 @@ WHERE
     OR cmd LIKE '%iptables -F%'
     OR cmd LIKE '%chattr -ia%'
     OR cmd LIKE '%chmod 777 %'
-    OR cmd LIKE '%history'
+    OR (
+      INSTR(cmd, 'history') > 0
+      AND cmd LIKE '%history'
+    )
     OR cmd LIKE '%touch%acmr%'
     OR cmd LIKE '%touch -r%'
     OR cmd LIKE '%ld.so.preload%'
@@ -113,7 +116,7 @@ WHERE
     )
     OR cmd LIKE '%socat%'
     OR cmd LIKE '%SOCK_STREAM%'
-    OR INSTR(cmd, '%Socket.%') > 0
+    OR INSTR(cmd, 'Socket.') > 0
   ) -- Things that could reasonably happen at boot.
   AND NOT (
     p.path IN ('/usr/bin/kmod', '/bin/kmod')

detection/execution/exotic-command-events-macos.sql

@@ -87,7 +87,10 @@ WHERE
     OR cmd LIKE '%rm -f /var/tmp%'
     OR cmd LIKE '%rm -f /tmp%'
     OR cmd LIKE '%nohup /bin/bash%'
-    OR cmd LIKE '%history'
+    OR (
+      INSTR(cmd, 'history') > 0
+      AND cmd LIKE '%history'
+    )
     OR cmd LIKE '%echo%|%base64 --decode %|%'
     OR cmd LIKE '%launchctl list%'
     OR (
@@ -105,7 +108,7 @@ WHERE
     )
     OR cmd LIKE '%socat%'
     OR cmd LIKE '%SOCK_STREAM%'
-    OR INSTR(cmd, '%Socket.%') > 0
+    OR INSTR(cmd, 'Socket.') > 0
   ) -- Things that could reasonably happen at boot.
   AND NOT (
     p.path = '/usr/bin/mkfifo'
@@ -148,4 +151,4 @@ WHERE
   AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
   AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
   AND NOT cmd LIKE 'dirname %history'
-  AND NOT cmd LIKE '%-history'
+  AND NOT cmd LIKE '%history'

detection/execution/unexpected-fetcher-parent-events.sql

@@ -12,7 +12,7 @@ SELECT
   TRIM(pe.cmdline) AS child_cmd,
   pe.pid AS child_pid,
   p.cgroup_path AS child_cgroup,
-  p.parent AS parent_pid,
+  pe.parent AS parent_pid,
   TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
   TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
   IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,

detection/execution/unexpected-fetcher-parents.sql

@@ -91,5 +91,10 @@ WHERE
     AND parent_name = 'bash'
     AND parent_cmd LIKE 'bash ./hack/%.sh'
   )
+  AND NOT (
+    p.euid > 500
+    AND parent_name = 'bash'
+    AND parent_cmd LIKE 'bash %/bin/go-build %'
+  )
 GROUP BY
   p.pid

detection/execution/unexpected-sysctl-calls.sql

@@ -12,7 +12,7 @@ SELECT
   TRIM(pe.cmdline) AS child_cmd,
   pe.pid AS child_pid,
   p.cgroup_path AS child_cgroup,
-  p.parent AS parent_pid,
+  pe.parent AS parent_pid,
   TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
   TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
   IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
@@ -59,10 +59,12 @@ FROM
  WHERE
   pe.time > (strftime('%s', 'now') -900)
   AND pe.path IN ('/usr/bin/sysctl', '/sbin/sysctl', '/usr/sbin/sysctl')
+  AND NOT p.parent IS NULL
   AND NOT child_cmd IN (
     'sysctl -n hw.optional.arm64',
+    '/usr/sbin/sysctl kern.hv_support',
     '/usr/sbin/sysctl -n hw.cputype',
-    'sysctl.proc_translated'
+    '/usr/sbin/sysctl sysctl.proc_translated'
   )
 GROUP BY
   pe.pid

detection/initial_access/unexpected-shell-parent-events.sql

@@ -17,7 +17,7 @@ SELECT
   pe.pid AS child_pid,
   pe.euid AS child_euid,
   p.cgroup_path AS child_cgroup,
-  p.parent AS parent_pid,
+  pe.parent AS parent_pid,
   TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
   TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
   IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
@@ -140,7 +140,9 @@ WHERE
     )
     OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'
     OR child_cmd LIKE '/bin/sh %google-cloud-sdk/bin/docker-credential-gcloud get'
+    OR child_cmd LIKE '%/bash -e%/bin/as -arch%'
     OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%'
+    OR gparent_cmd LIKE '/usr/bin/python3 -m py_compile %'
   )
 GROUP BY
   pe.pid

detection/initial_access/unexpected-shell-parents.sql

@@ -34,22 +34,24 @@ WHERE
   AND pp.name NOT IN (
     'abrt-handle-eve',
     'alacritty',
+    'Alfred',
     'bash',
     'build-script-build',
-    'dnf',
     'chezmoi',
     'clang-11',
     'code',
     'Code Helper (Renderer)',
     'Code - Insiders Helper (Renderer)',
-    'configure',
     'collect2',
+    'configure',
     'conmon',
     'containerd-shim',
     'dash',
     'demoit',
     'direnv',
+    'dnf',
     'doas',
+    'Docker Desktop',
     'erl_child_setup',
     'find',
     'FinderSyncExtension',

detection/persistence/unexpected-chrome-extensions.sql

@@ -51,12 +51,13 @@ WHERE
   AND enabled = 1
   AND exception_key NOT IN (
     'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,,background', -- TODO: Move to local exceptions list once osqtool supports them
-    'false,juverm@chainguard.dev,auto-close-gitsign,,',
+    'false,,base64 encode or decode selected text,,contextMenus',
     'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip,', -- Deprecated Google Extension
     'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi,', -- Deprecated Google Extension
     'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk,', -- Deprecated Google Extension
     'false,,Google Drive,aghbiahbpaijignceidepookljebhfak,', -- Deprecated Google Extension
     'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg,', -- Deprecated Google Extension
+    'false,juverm@chainguard.dev,auto-close-gitsign,,',
     'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension
     'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
     'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
@@ -120,6 +121,7 @@ WHERE
     'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec,nativeMessaging, tabs, contextMenus',
     'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag,tabs',
     'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
+    'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http:///, https:///',
     'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp,webNavigation, webRequest, webRequestBlocking, tabs, cookies, storage, *://*/*, ftp://*/*',
     'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn,storage, unlimitedStorage, clipboardWrite, http://localhost:8545/, https://*.infura.io/, https://chainid.network/chains.json, https://lattice.gridplus.io/*, activeTab, webRequest, *://*.eth/, notifications',
     'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok,downloads, contextMenus, storage, tabs, unlimitedStorage, webNavigation',
@@ -135,6 +137,7 @@ WHERE
     'true,,Loom – Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,<all_urls>, tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
     'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
     'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl,storage, clipboardWrite, <all_urls>',
+    'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl,<all_urls>, notifications, contextMenus, desktopCapture',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, scripting, alarms, webRequest, declarativeNetRequest, declarativeNetRequestFeedback, downloads, notifications',
     'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk,activeTab, storage, cookies',
@@ -148,6 +151,7 @@ WHERE
     'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep,identity, identity.email, notifications, storage, tabs, <all_urls>',
     'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo,<all_urls>, storage, unlimitedStorage, identity, syncFileSystem,',
     'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg,<all_urls>, storage',
+    'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag,contextMenus, tabs, <all_urls>',
     'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami,storage, webRequest, <all_urls>, tabs, webRequestBlocking',
     'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop,webview, system.display, http://*/*, https://*/*, contextMenus, unlimitedStorage, storage, fileSystem, fileSystem.write, notifications, identity,',
     'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp,tabs, http://*/*, https://*/*, webNavigation, webRequest, webRequestBlocking, storage, privacy',
@@ -157,14 +161,15 @@ WHERE
     'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi,file:///*, http://*/*, https://*/*',
     'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, http://*/*, https://*/*, storage',
     'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, storage, scripting',
+    'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi,<all_urls>, activeTab, background, contextMenus, notifications, storage, tabs, unlimitedStorage',
     'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb,https://*.reddit.com/*, tabs, history, storage, unlimitedStorage, webRequest',
     'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd,tabs, http://*/*, https://*/*, storage',
     'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne,contextMenus, identity, printerProvider, notifications, pageCapture, storage, tabs, webRequest, <all_urls>',
     'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj,tabs, contextMenus, cookies, storage',
     'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read',
     'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
-    'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, <all_urls>, storage, unlimitedStorage',
     'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, activeTab, storage, unlimitedStorage, alarms, scripting',
+    'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, <all_urls>, storage, unlimitedStorage',
     'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko,tabs, unlimitedStorage',
     'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp,tabs, storage',
     'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
@@ -182,10 +187,10 @@ WHERE
     'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf,activeTab, downloads, tabs, webNavigation, webRequest, http://*/, https://*/',
     'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, <all_urls>',
     'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications',
+    'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, <all_urls>',
     'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
-    'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
     'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest',
     'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*',
     'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,<all_urls>, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies',

detection/privesc/unexpected-elevated-children-events_macos.sql

@@ -9,35 +9,48 @@
 --
 -- tags: events process escalation
 -- platform: darwin
--- interval: 30
+-- interval: 60
 SELECT
-  p.pid AS child_pid,
+  pe.path AS child_path,
-  p.path AS child_path,
+  TRIM(REGEX_MATCH (pe.path, '.*/(.*)', 1)) AS child_name,
-  REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
+  TRIM(pe.cmdline) AS child_cmd,
-  p.cmdline AS child_cmdline,
+  pe.pid AS child_pid,
-  p.time,
+  pe.euid AS child_euid,
-  pp.start_time,
+  p.cgroup_path AS child_cgroup,
-  p.euid AS child_euid,
+  pe.parent AS parent_pid,
-  file.mode AS child_mode,
+  TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
-  hash.sha256 AS child_hash,
+  TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
-  p.parent AS parent_pid,
+  (IIF(pp.euid != NULL, pp.euid, ppe.euid)) AS parent_euid,
-  pp.path AS parent_path,
+  IIF(pp.path != NULL, phash.sha256, pehash.sha256) AS parent_hash,
-  pp.name AS parent_name,
+  REGEX_MATCH (
-  pp.cmdline AS parent_cmdline,
+    IIF(pp.path != NULL, pp.path, ppe.path),
-  pp.euid AS parent_euid,
+    '.*/(.*)',
-  pfile.mode AS parent_mode,
+    1
-  phash.sha256 AS parent_hash
+  ) AS parent_name,
+  TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
+  TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
+  IIF(gp.path != NULL, gphash.sha256, gpehash.path) AS gparent_hash,
+  REGEX_MATCH (
+    IIF(gp.path != NULL, gp.path, gpe.path),
+    '.*/(.*)',
+    1
+  ) AS gparent_name,
+  IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
 FROM
-  process_events p
+  process_events pe
-  JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN processes p ON pe.pid = p.pid
-  LEFT JOIN file ON p.path = file.path
+  LEFT JOIN processes pp ON pe.parent = pp.pid
-  LEFT JOIN hash ON p.path = hash.path
+  LEFT JOIN hash phash ON pp.path = phash.path
-  LEFT JOIN file AS pfile ON pp.path = pfile.path
+  LEFT JOIN process_events ppe ON pe.parent = ppe.pid
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  LEFT JOIN hash pehash ON ppe.path = pehash.path
+  LEFT JOIN processes gp ON gp.pid = pp.parent
+  LEFT JOIN hash gphash ON gp.path = gphash.path
+  LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
+  LEFT JOIN hash gpehash ON gpe.path = gpehash.path
 WHERE
-  p.time > (strftime('%s', 'now') -30)
+  pe.time > (strftime('%s', 'now') -60)
-  AND p.euid < pp.euid
+  AND child_euid < parent_euid
-  AND p.path NOT IN (
+  AND pe.path NOT IN (
     '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
     '/usr/bin/login',
     '/usr/bin/su',
@@ -46,16 +59,13 @@ WHERE
   )
   -- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot
   AND NOT (
-    p.cmdline IN (
+    child_cmd IN (
       '/usr/sbin/cupsd -l',
       '/usr/libexec/mdmclient daemon',
       '/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
     )
   )
-  -- More very weird data that keeps showing up: gopls starting everything!
-  -- I think this may be due to some bad joining
   AND NOT (
-    pp.cmdline LIKE '%/go/bin/gopls -mode=stdio'
+    pe.euid = 262 -- core media helper id
-    AND pp.path LIKE '/Users/%/go/bin/gopls'
+    AND pe.path = '/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/AppleCamera.plugin/Contents/Resources/AppleCameraAssistant'
-    AND pp.euid > 500
   )