Merge pull request #150 from tstromberg/fp4

Include more process information across queries
2025-02-22 04:56:50 +00:00 · 2023-02-01 13:57:04 -05:00 · 2023-02-01 13:57:04 -05:00 · 97a3661e1d
commit 97a3661e1d
parent 3ee82708c8 f9dce0a72d
47 changed files with 996 additions and 474 deletions
--- a/detection/c2/unexpected-icmp-socket-events.sql
+++ b/detection/c2/unexpected-icmp-socket-events.sql
@ -8,6 +8,8 @@
 SELECT
  se.*,
  p.path,
+  p.cwd,
+  p.euid,
  p.cmdline
 FROM
  socket_events se
--- a/detection/c2/unexpected-icmp-socket.sql
+++ b/detection/c2/unexpected-icmp-socket.sql
@ -5,13 +5,40 @@
 --
 -- tags: transient state net often
 SELECT
-  pop.pid,
-  p.path,
-  p.cmdline
+  pop.pid AS p0_pid,
+  pop.socket,
+  pop.local_address,
+  pop.remote_address,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
  process_open_sockets pop
-  JOIN processes p ON pop.pid = p.pid
+  LEFT JOIN processes p0 ON pop.pid = p0.pid
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  family = 2 -- PF_INET
-  AND protocol = 1 -- ICMP
-  AND p.name NOT IN ('ping')
+  pop.family = 2 -- PF_INET
+  AND pop.protocol = 1 -- ICMP
+  AND p0.name NOT IN ('ping')
+GROUP BY p0_pid
--- a/detection/credentials/macos_keyboard_sniffer.sql
+++ b/detection/credentials/macos_keyboard_sniffer.sql
@ -9,29 +9,55 @@ SELECT
  et.enabled,
  et.process_being_tapped,
  et.tapping_process,
-  p.path,
-  s.authority,
-  s.identifier,
-  h.sha256,
  CONCAT (
    REPLACE(
-      p.path,
-      RTRIM(p.path, REPLACE(p.path, '/', '')),
+      p0.path,
+      RTRIM(p0.path, REPLACE(p0.path, '/', '')),
      ''
    ),
    ',',
-    identifier,
+    s.identifier,
    ',',
-    authority
-  ) AS exception_key
+    s.authority
+  ) AS exception_key,
+  ---
+  s.authority,
+  s.identifier,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
  event_taps et
-  LEFT JOIN processes p ON et.tapping_process = p.pid
-  LEFT JOIN signature s ON s.path = p.path
-  LEFT JOIN hash h ON h.path = p.path
+  LEFT JOIN processes p0 ON et.tapping_process = p.pid
+  LEFT JOIN signature s ON p0.path = s.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  event_tapped IN ('EventKeyDown', 'EventKeyUp')
-  AND authority != 'Software Signing'
+  et.event_tapped IN ('EventKeyDown', 'EventKeyUp')
+  AND s.authority != 'Software Signing'
  -- Popular programs that sniff keyboard events, but do not appear to be malware.
  AND NOT exception_key IN (
    'BetterTouchTool,com.hegenberg.BetterTouchTool,Developer ID Application: folivora.AI GmbH (DAFVSXZ82P)',
@ -44,4 +70,4 @@ WHERE
    'skhd,skhd,'
  )
 GROUP BY
-  p.path
+  p0.path
--- a/detection/credentials/unexpected-dev-opener-linux.sql
+++ b/detection/credentials/unexpected-dev-opener-linux.sql
@ -11,12 +11,6 @@
 SELECT
  pof.pid,
  pof.path AS device,
-  p.path AS program,
-  p.name AS program_name,
-  p.cmdline AS cmdline,
-  pp.cmdline AS parent_cmdline,
-  gp.cmdline AS gparent_cmdline,
-  hash.sha256,
  CONCAT (
    IIF(
      REGEX_MATCH (
@ -33,8 +27,8 @@ SELECT
    ),
    ',',
    REPLACE(
-      p.path,
-      RTRIM(p.path, REPLACE(p.path, '/', '')),
+      p0.path,
+      RTRIM(p0.path, REPLACE(p0.path, '/', '')),
      ''
    )
  ) AS path_exception,
@ -55,17 +49,42 @@ SELECT
    ),
    ',',
    REPLACE(
-      p.path,
-      RTRIM(p.path, REPLACE(p.path, '/', '')),
+      p0.path,
+      RTRIM(p0.path, REPLACE(p0.path, '/', '')),
      ''
    )
-  ) AS dir_exception
+  ) AS dir_exception,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
  process_open_files pof
-  LEFT JOIN processes p ON pof.pid = p.pid
-  LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN processes gp ON pp.parent = gp.pid
-  LEFT JOIN hash ON hash.path = p.path
+  LEFT JOIN processes p0 ON pof.pid = p0.pid
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
  pof.path LIKE '/dev/%'
  AND pof.path NOT IN (
@ -197,7 +216,7 @@ WHERE
  AND path_Exception NOT LIKE '/dev/shm/pym-%python3.%'
  AND NOT (
    device LIKE '/dev/bus/usb/%'
-    AND program_name IN (
+    AND p0.name IN (
      'adb',
      'fprintd',
      'fwupd',
--- a/detection/credentials/unexpected-dev-opener-macos.sql
+++ b/detection/credentials/unexpected-dev-opener-macos.sql
@ -8,10 +8,6 @@
 SELECT
  pof.pid,
  pof.path AS device,
-  p.path AS program,
-  p.name AS program_name,
-  p.cmdline AS cmdline,
-  hash.sha256,
  s.authority,
  s.identifier,
  CONCAT (
@ -30,12 +26,39 @@ SELECT
    s.authority,
    ',',
    s.identifier
-  ) AS exception_key
+  ) AS exception_key,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
  process_open_files pof
-  LEFT JOIN processes p ON pof.pid = p.pid
-  LEFT JOIN hash ON hash.path = p.path
-  LEFT JOIN signature s ON p.path = s.path
+  LEFT JOIN processes p0 ON pof.pid = p0.pid
+  LEFT JOIN signature s ON p0.path = s.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
  pof.path LIKE '/dev/%'
  AND pof.path NOT IN (
@ -47,9 +70,9 @@ WHERE
  )
  AND pof.path NOT LIKE '/dev/ttys%'
  -- Assume SIP
-  AND p.path NOT LIKE '/System/%'
-  AND p.path NOT LIKE '/usr/libexec/%'
-  AND p.path NOT LIKE '/usr/sbin/%'
+  AND p0.path NOT LIKE '/System/%'
+  AND p0.path NOT LIKE '/usr/libexec/%'
+  AND p0.path NOT LIKE '/usr/sbin/%'
  AND exception_key NOT IN (
    '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond',
    '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
--- a/detection/discovery/unexpected-netutil-calls-linux.sql
+++ b/detection/discovery/unexpected-netutil-calls-linux.sql
@ -11,6 +11,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/discovery/unexpected-netutil-calls-macos.sql
+++ b/detection/discovery/unexpected-netutil-calls-macos.sql
@ -12,6 +12,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  p.cgroup_path AS p0_cgroup,
--- a/detection/evasion/empty_root_environ_linux.sql
+++ b/detection/evasion/empty_root_environ_linux.sql
@ -16,6 +16,7 @@ SELECT
  hash.sha256,
  p.parent,
  p.cmdline,
+  p.cwd,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmd
  -- Processes is 20X faster to scan than process_envs
--- a/detection/evasion/empty_root_environ_macos.sql
+++ b/detection/evasion/empty_root_environ_macos.sql
@ -15,6 +15,7 @@ SELECT
  p.on_disk,
  p.parent,
  p.cmdline,
+  p.cwd,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmd,
  signature.identifier,
--- a/detection/evasion/hidden-parent-pid.sql
+++ b/detection/evasion/hidden-parent-pid.sql
@ -1,3 +1,5 @@
+-- Find a process which has a parent that is not listed in the process table
+--
 -- Works well for revealing boopkit, so long as boopkit has a child process.
 --
 -- references:
@ -8,16 +10,16 @@
 --   * None observed
 --
 -- tags: persistent daemon
-SELECT
-  pp.*
-FROM
-  processes
-  JOIN processes pp ON processes.parent = pp.pid
-WHERE
-  processes.parent NOT IN (
-    SELECT
-      pid
-    FROM
-      processes
+SELECT p.*,
+  hash.sha256,
+  GROUP_CONCAT(DISTINCT pof.path) AS open_files
+FROM processes p
+  LEFT JOIN hash ON p.path = hash.path
+  LEFT JOIN process_open_files pof ON p.pid = pof.pid
+WHERE p.parent NOT IN (
+    SELECT pid
+    FROM processes
  )
-  AND processes.parent != 0;
+  AND p.parent != 0
+  AND p.parent IS NOT NULL
+GROUP BY p.pid
--- a/detection/evasion/parent-missing-from-disk-linux.sql
+++ b/detection/evasion/parent-missing-from-disk-linux.sql
@ -14,33 +14,39 @@
 --
 -- tags: persistent daemon
 SELECT
-  p.name AS child_name,
-  p.pid AS child_pid,
-  p.path AS child_path,
-  p.cmdline AS child_cmd,
-  p.euid AS child_euid,
-  p.gid AS child_gid,
-  p.cgroup_path AS child_cgroup,
-  hash.path,
-  p.on_disk AS child_on_disk,
-  pp.pid AS parent_pid,
-  pp.name AS parent_name,
-  pp.path AS parent_path,
-  pp.cmdline AS cmd,
-  pp.on_disk AS parent_on_disk,
-  pp.cgroup_path AS parent_cgroup,
-  pp.uid AS parent_uid,
-  pp.gid AS parent_gid
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
-  JOIN processes pp ON pp.pid = p.parent
-  LEFT JOIN hash ON p.path = hash.path
+  processes p0
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  parent_on_disk != 1
-  AND child_on_disk = 1
-  AND NOT child_pid IN (1, 2)
-  AND NOT parent_pid IN (1, 2) -- launchd, kthreadd
-  AND NOT parent_path IN (
+  p1.on_disk != 1
+  AND p0.on_disk = 1
+  AND NOT p0.pid IN (1, 2)
+  AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
+  AND NOT p1.path IN (
    '/opt/google/chrome/chrome',
    '/usr/bin/alacritty',
    '/usr/bin/doas',
@ -53,7 +59,7 @@ WHERE
    '/usr/libexec/gnome-terminal-server',
    '/usr/lib/systemd/systemd'
  ) -- long-running launchers
-  AND NOT parent_name IN (
+  AND NOT p1.name IN (
    'lightdm',
    'nvim',
    'gnome-shell',
@ -64,16 +70,16 @@ WHERE
    'kubelet'
  ) -- These alerts were unfortunately useless - lots of spam on macOS
  AND NOT (
-    parent_path LIKE '/app/%'
-    AND child_cgroup LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
+    p1.path LIKE '/app/%'
+    AND p0.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
  )
-  AND child_cgroup NOT LIKE '/system.slice/docker-%'
-  AND parent_cgroup NOT LIKE '/system.slice/docker-%'
-  AND parent_cgroup NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
-  AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'
-  AND parent_path NOT LIKE '/tmp/.mount_%/%'
-  AND parent_path NOT LIKE '%google-cloud-sdk/.install/.backup%'
+  AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
+  AND p1.cgroup_path NOT LIKE '/system.slice/docker-%'
+  AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
+  AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
+  AND p1.path NOT LIKE '/tmp/.mount_%/%'
+  AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
  AND NOT (
-    parent_name LIKE 'kworker/%+events_unbound'
-    AND child_name IN ('modprobe')
+    p1.name LIKE 'kworker/%+events_unbound'
+    AND p0.name IN ('modprobe')
  )
--- a/detection/evasion/parent-missing-from-disk-macos.sql
+++ b/detection/evasion/parent-missing-from-disk-macos.sql
@ -14,35 +14,52 @@
 --
 -- tags: persistent daemon
 SELECT
-  p.name AS child_name,
-  p.pid AS child_pid,
-  p.path AS child_path,
-  p.cmdline AS child_cmd,
-  p.euid AS child_euid,
-  p.gid AS child_gid,
-  hash.path,
-  p.on_disk AS child_on_disk,
-  pp.pid AS parent_pid,
-  pp.name AS parent_name,
-  pp.path AS parent_path,
-  pp.cmdline AS cmd,
-  pp.on_disk AS parent_on_disk,
-  pp.uid AS parent_uid,
-  pp.gid AS parent_gid
+  s.authority AS p0_auth,
+  s.identifier AS p0_id,
+  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
-  JOIN processes pp ON pp.pid = p.parent
-  LEFT JOIN hash ON p.path = hash.path
+  processes p0
+  LEFT JOIN file f ON p0.path = f.path
+  LEFT JOIN signature s ON p0.path = s.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  parent_on_disk != 1
-  AND child_on_disk = 1
-  AND NOT child_pid IN (1, 2)
-  AND NOT parent_pid IN (1, 2) -- launchd, kthreadd
+  p1.on_disk != 1
+  AND p0.on_disk = 1
+  AND NOT p0.pid IN (1, 2)
+  AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
  -- These alerts were unfortunately useless - lots of spam on macOS
  AND NOT (
-    parent_path = ''
-    AND p.uid > 500
+    p1.path = ''
+    AND p0.euid > 500
  )
-  AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'
-  AND parent_path NOT LIKE '%google-cloud-sdk/.install/.backup%'
-  AND parent_path NOT LIKE '/private/var/folders/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
+  AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
+  AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
+  AND p1.path NOT LIKE '/private/var/folders/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
--- a/detection/evasion/ssh-notty.sql
+++ b/detection/evasion/ssh-notty.sql
@ -17,6 +17,7 @@ FROM
      p.pid,
      p.name,
      p.cmdline AS cmd,
+      p.cwd,
      cp.name AS child_name,
      cp.cmdline AS child_cmd,
      gcp.name AS grandchild_name,
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -14,6 +14,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -13,6 +13,7 @@ SELECT -- Child
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  p.cgroup_path AS p0_cgroup,
--- a/detection/execution/exotic-commands-linux.sql
+++ b/detection/execution/exotic-commands-linux.sql
@ -0,0 +1,135 @@
+-- Pick out exotic processes based on their command-line (state-based)
+--
+-- false positives:
+--   * possible, but none known
+--
+-- tags: transient process state
+-- platform: darwin
+SELECT
+  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
+  (strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
+FROM
+  processes p0
+  LEFT JOIN file f ON p0.path = f.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
+WHERE
+  -- Known attack scripts
+  p0.name IN (
+    'bitspin',
+    'bpftool',
+    'heyoka',
+    'nstx',
+    'dnscat2',
+    'tuns',
+    'iodine',
+    'esxcli',
+    'vim-cmd',
+    'minerd',
+    'cpuminer-multi',
+    'cpuminer',
+    'httpdns',
+    'rshell',
+    'rsh',
+    'xmrig',
+    'incbit',
+    'insmod',
+    'kmod',
+    'lushput',
+    'mkfifo',
+    'msfvenom',
+    'nc',
+    'socat'
+  )
+  OR p0.name LIKE '%pwn%'
+  OR p0.name LIKE '%xig%'
+  OR p0.name LIKE '%xmr%'
+  OR p0.cmdline LIKE '%bitspin%'
+  OR p0.cmdline LIKE '%lushput%'
+  OR p0.cmdline LIKE '%incbit%'
+  OR p0.cmdline LIKE '%traitor%'
+  OR p0.cmdline LIKE '%msfvenom%'
+  -- Unusual behaviors
+  OR p0.cmdline LIKE '%ufw disable%'
+  OR p0.cmdline LIKE '%iptables -P % ACCEPT%'
+  OR p0.cmdline LIKE '%iptables -F%'
+  OR p0.cmdline LIKE '%chattr -ia%'
+  OR p0.cmdline LIKE '%chflags uchg%'
+  OR p0.cmdline LIKE '%chmod 777 %'
+  OR p0.cmdline LIKE '%bpftool%'
+  OR p0.cmdline LIKE '%touch%acmr%'
+  OR p0.cmdline LIKE '%ld.so.preload%'
+  OR p0.cmdline LIKE '%urllib.urlopen%'
+  OR p0.cmdline LIKE '%nohup%tmp%'
+  OR p0.cmdline LIKE '%chrome%--load-extension%'
+  OR (
+    p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
+    AND NOT p1.name = 'limactl'
+  )
+  -- Crypto miners
+  OR p0.cmdline LIKE '%c3pool%'
+  OR p0.cmdline LIKE '%cryptonight%'
+  OR p0.cmdline LIKE '%f2pool%'
+  OR p0.cmdline LIKE '%hashrate%'
+  OR p0.cmdline LIKE '%hashvault%'
+  OR p0.cmdline LIKE '%minerd%'
+  OR p0.cmdline LIKE '%monero%'
+  OR p0.cmdline LIKE '%nanopool%'
+  OR p0.cmdline LIKE '%nicehash%'
+  OR p0.cmdline LIKE '%stratum%'
+  -- Random keywords
+  OR p0.cmdline LIKE '%ransom%'
+  OR p0.cmdline LIKE '%malware%'
+  OR p0.cmdline LIKE '%plant%'
+  -- Reverse shells
+  OR p0.cmdline LIKE '%/dev/tcp/%'
+  OR p0.cmdline LIKE '%/dev/udp/%'
+  OR p0.cmdline LIKE '%fsockopen%'
+  OR p0.cmdline LIKE '%openssl%quiet%'
+  OR p0.cmdline LIKE '%pty.spawn%'
+  OR (
+    p0.cmdline LIKE '%sh -i'
+    AND NOT p0.path = '/usr/bin/docker'
+    AND NOT p1.name IN ('sh', 'java', 'containerd-shim')
+    AND NOT p1.cmdline LIKE '%pipenv shell'
+    AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
+  )
+  OR p0.cmdline LIKE '%socat%'
+  OR p0.cmdline LIKE '%SOCK_STREAM%'
+  OR INSTR(p0.cmdline, '%Socket.%') > 0
+  -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
+  OR (
+    p0.cmdline LIKE '%tail -f /dev/null%'
+    AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
+  )
+  AND NOT p0.cmdline IN (
+    'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp0.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0'
+  )
+   AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')
--- a/detection/execution/exotic-commands-macos.sql
+++ b/detection/execution/exotic-commands-macos.sql
@ -0,0 +1,131 @@
+-- Pick out exotic processes based on their command-line (state-based)
+--
+-- false positives:
+--   * possible, but none known
+--
+-- tags: transient process state
+-- platform: darwin
+SELECT
+  s.authority AS p0_auth,
+  s.identifier AS p0_id,
+  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
+  (strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
+FROM
+  processes p0
+  LEFT JOIN file f ON p0.path = f.path
+  LEFT JOIN signature s ON p0.path = s.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
+WHERE
+  -- Known attack scripts
+  p0.name IN (
+    'bitspin',
+    'bpftool',
+    'heyoka',
+    'nstx',
+    'dnscat2',
+    'tuns',
+    'iodine',
+    'esxcli',
+    'vim-cmd',
+    'minerd',
+    'cpuminer-multi',
+    'cpuminer',
+    'httpdns',
+    'rshell',
+    'rsh',
+    'xmrig',
+    'incbit',
+    'insmod',
+    'kmod',
+    'lushput',
+    'mkfifo',
+    'msfvenom',
+    'nc',
+    'socat'
+  )
+  OR p0.name LIKE '%pwn%'
+  OR p0.name LIKE '%xig%'
+  OR p0.name LIKE '%xmr%'
+  OR p0.cmdline LIKE '%bitspin%'
+  OR p0.cmdline LIKE '%lushput%'
+  OR p0.cmdline LIKE '%incbit%'
+  OR p0.cmdline LIKE '%traitor%'
+  OR p0.cmdline LIKE '%msfvenom%'
+  -- Unusual behaviors
+  OR p0.cmdline LIKE '%chattr -ia%'
+  OR p0.cmdline LIKE '%chflags uchg%'
+  OR p0.cmdline LIKE '%chmod 777 %'
+  OR p0.cmdline LIKE '%touch%acmr%'
+  OR p0.cmdline LIKE '%urllib.urlopen%'
+  OR p0.cmdline LIKE '%launchctl load%'
+  OR p0.cmdline LIKE '%launchctl bootout%'
+  OR p0.cmdline LIKE '%nohup%tmp%'
+  OR p0.cmdline LIKE '%set visible of front window to false%'
+  OR p0.cmdline LIKE '%chrome%--load-extension%'
+  OR (
+    p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
+    AND NOT p1.name = 'limactl'
+  )
+  -- Crypto miners
+  OR p0.cmdline LIKE '%c3pool%'
+  OR p0.cmdline LIKE '%cryptonight%'
+  OR p0.cmdline LIKE '%f2pool%'
+  OR p0.cmdline LIKE '%hashrate%'
+  OR p0.cmdline LIKE '%hashvault%'
+  OR p0.cmdline LIKE '%minerd%'
+  OR p0.cmdline LIKE '%monero%'
+  OR p0.cmdline LIKE '%nanopool%'
+  OR p0.cmdline LIKE '%nicehash%'
+  OR p0.cmdline LIKE '%stratum%'
+  -- Random keywords
+  OR p0.cmdline LIKE '%ransom%'
+  OR p0.cmdline LIKE '%malware%'
+  OR p0.cmdline LIKE '%plant%'
+  -- Reverse shells
+  OR p0.cmdline LIKE '%fsockopen%'
+  OR p0.cmdline LIKE '%openssl%quiet%'
+  OR p0.cmdline LIKE '%pty.spawn%'
+  OR (
+    p0.cmdline LIKE '%sh -i'
+    AND NOT p0.path = '/usr/bin/docker'
+    AND NOT p1.name IN ('sh', 'java', 'containerd-shim')
+    AND NOT p1.cmdline LIKE '%pipenv shell'
+    AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
+  )
+  OR p0.cmdline LIKE '%socat%'
+  OR p0.cmdline LIKE '%SOCK_STREAM%'
+  OR INSTR(p0.cmdline, '%Socket.%') > 0
+  -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
+  OR (
+    p0.cmdline LIKE '%tail -f /dev/null%'
+    AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
+  )
+  AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')
--- a/detection/execution/exotic-commands.sql
+++ b/detection/execution/exotic-commands.sql
@ -1,123 +0,0 @@
-- Pick out exotic processes based on their command-line (state-based)
--
-- false positives:
--   * possible, but none known
--
-- tags: transient process state
-- platform: posix
-SELECT
-  p.path,
-  p.name,
-  p.cmdline AS cmd,
-  p.cwd,
-  p.cgroup_path,
-  p.euid,
-  p.parent,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmd,
-  cp.name AS child_name,
-  cp.cmdline AS child_cmd,
-  hash.sha256 AS child_sha256,
-  phash.sha256 AS parent_sha256
-FROM
-  processes p
-  LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN processes cp ON p.pid = cp.parent
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
-WHERE
-  -- Known attack scripts
-  p.name IN (
-    'bitspin',
-    'bpftool',
-    'heyoka',
-    'nstx',
-    'dnscat2',
-    'tuns',
-    'iodine',
-    'esxcli',
-    'vim-cmd',
-    'minerd',
-    'cpuminer-multi',
-    'cpuminer',
-    'httpdns',
-    'rshell',
-    'rsh',
-    'xmrig',
-    'incbit',
-    'insmod',
-    'kmod',
-    'lushput',
-    'mkfifo',
-    'msfvenom',
-    'nc',
-    'socat'
-  )
-  OR p.name LIKE '%pwn%'
-  OR p.name LIKE '%xig%'
-  OR p.name LIKE '%xmr%'
-  OR cmd LIKE '%bitspin%'
-  OR cmd LIKE '%lushput%'
-  OR cmd LIKE '%incbit%'
-  OR cmd LIKE '%traitor%'
-  OR cmd LIKE '%msfvenom%'
-  -- Unusual behaviors
-  OR cmd LIKE '%ufw disable%'
-  OR cmd LIKE '%iptables -P % ACCEPT%'
-  OR cmd LIKE '%iptables -F%'
-  OR cmd LIKE '%chattr -ia%'
-  OR cmd LIKE '%chflags uchg%'
-  OR cmd LIKE '%chmod 777 %'
-  OR cmd LIKE '%bpftool%'
-  OR cmd LIKE '%touch%acmr%'
-  OR cmd LIKE '%ld.so.preload%'
-  OR cmd LIKE '%urllib.urlopen%'
-  OR cmd LIKE '%launchctl load%'
-  OR cmd LIKE '%launchctl bootout%'
-  OR cmd LIKE '%nohup%tmp%'
-  OR cmd LIKE '%set visible of front window to false%'
-  OR cmd LIKE '%chrome%--load-extension%'
-  OR (
-    cmd LIKE '%UserKnownHostsFile=/dev/null%'
-    AND NOT parent_name = 'limactl'
-  )
-  -- Crypto miners
-  OR cmd LIKE '%c3pool%'
-  OR cmd LIKE '%cryptonight%'
-  OR cmd LIKE '%f2pool%'
-  OR cmd LIKE '%hashrate%'
-  OR cmd LIKE '%hashvault%'
-  OR cmd LIKE '%minerd%'
-  OR cmd LIKE '%monero%'
-  OR cmd LIKE '%nanopool%'
-  OR cmd LIKE '%nicehash%'
-  OR cmd LIKE '%stratum%'
-  -- Random keywords
-  OR cmd LIKE '%ransom%'
-  OR cmd LIKE '%malware%'
-  OR cmd LIKE '%plant%'
-  -- Reverse shells
-  OR cmd LIKE '%/dev/tcp/%'
-  OR cmd LIKE '%/dev/udp/%'
-  OR cmd LIKE '%fsockopen%'
-  OR cmd LIKE '%openssl%quiet%'
-  OR cmd LIKE '%pty.spawn%'
-  OR (
-    cmd LIKE '%sh -i'
-    AND NOT p.path = '/usr/bin/docker'
-    AND NOT parent_name IN ('sh', 'java', 'containerd-shim')
-    AND NOT parent_cmd LIKE '%pipenv shell'
-    AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
-  )
-  OR cmd LIKE '%socat%'
-  OR cmd LIKE '%SOCK_STREAM%'
-  OR INSTR(cmd, '%Socket.%') > 0
-  -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
-  OR (
-    cmd LIKE '%tail -f /dev/null%'
-    AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
-  )
-  AND NOT cmd IN (
-    'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0'
-  )
-   AND NOT p.name IN ('cc1', 'compile', 'cmake', 'cc1plus')
--- a/detection/execution/relative-exec-low-uid-events.sql
+++ b/detection/execution/relative-exec-low-uid-events.sql
@ -11,6 +11,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/relative-exec-low-uid.sql
+++ b/detection/execution/relative-exec-low-uid.sql
@ -11,6 +11,7 @@ SELECT
  p.path,
  p.euid,
  p.gid,
+  p.cwd,
  p.cgroup_path,
  f.ctime,
  f.directory AS dirname,
--- a/detection/execution/sketchy-fetcher-events.sql
+++ b/detection/execution/sketchy-fetcher-events.sql
@ -12,6 +12,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/unexpected-env-values-linux.sql
+++ b/detection/execution/unexpected-env-values-linux.sql
@ -9,31 +9,49 @@
 -- interval: 300
 -- platform: linux
 SELECT
-  p.pid,
-  p.name,
-  key,
-  value,
-  LENGTH(value) AS value_len,
-  p.path,
-  p.cmdline,
-  p.parent AS parent_pid,
-  pp.cmdline AS parent_cmd
+  pe.key,
+  pe.value,
+  LENGTH(pe.value) AS value_len,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
+FROM
  -- Querying processes first and filtering by time gives a massive 20X speed improvement
  -- over querying process_envs first and JOIN'ing against processes
-FROM
-  processes p
-  JOIN process_envs pe ON p.pid = pe.pid
-  LEFT JOIN file f ON p.path = f.path
-  LEFT JOIN processes pp ON p.parent = pp.pid
+  processes p0
+  JOIN process_envs pe ON p0.pid = pe.pid
+  LEFT JOIN file f ON p0.path = f.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE -- This time should match the interval
-  p.start_time > (strftime('%s', 'now') - 300)
+  p0.start_time > (strftime('%s', 'now') - 300)
  AND (
-    key = 'HISTFILE'
-    AND NOT VALUE LIKE '/home/%/.%_history'
+    pe.key = 'HISTFILE'
+    AND NOT pe.value LIKE '/home/%/.%_history'
  )
  OR (
-    key = 'LD_PRELOAD'
-    AND NOT p.path LIKE '%/firefox'
+    pe.key = 'LD_PRELOAD'
+    AND NOT p0.path LIKE '%/firefox'
    AND NOT pe.value IN ('libfakeroot.so', '/usr/local/lib/libmimalloc.so')
    AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
    AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'
@ -44,8 +62,8 @@ WHERE -- This time should match the interval
  )
  -- setuid
  OR (
-    LENGTH(value) > 1024
-    AND key != 'LS_COLORS'
+    LENGTH(pe.value) > 1024
+    AND pe.key != 'LS_COLORS'
    AND f.mode IS NOT NULL
    AND f.mode NOT LIKE '0%'
  )
--- a/detection/execution/unexpected-env-values-macos.sql
+++ b/detection/execution/unexpected-env-values-macos.sql
@ -12,6 +12,7 @@ SELECT
  value,
  p.pid,
  p.path,
+  p.cwd,
  p.cmdline,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd
--- a/detection/execution/unexpected-execdir-linux.sql
+++ b/detection/execution/unexpected-execdir-linux.sql
@ -10,6 +10,7 @@ SELECT
  p.name,
  p.path,
  p.euid,
+  p.cwd,
  p.gid,
  p.cgroup_path,
  f.ctime,
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -13,6 +13,7 @@ SELECT
  p.path,
  p.euid,
  p.gid,
+  p.cwd,
  f.ctime,
  f.directory AS dir,
  REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep
--- a/detection/execution/unexpected-executable-permissions.sql
+++ b/detection/execution/unexpected-executable-permissions.sql
@ -11,6 +11,7 @@
 SELECT
  p.pid,
  p.name,
+  p.cwd,
  p.path,
  f.mode,
  f.uid,
--- a/detection/execution/unexpected-fetcher-parent-events.sql
+++ b/detection/execution/unexpected-fetcher-parent-events.sql
@ -12,6 +12,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/unexpected-file-made-executable.sql
+++ b/detection/execution/unexpected-file-made-executable.sql
@ -11,6 +11,8 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
+  pe.euid AS p0_euid,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -17,6 +17,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  p.cgroup_path AS p0_cgroup,
--- a/detection/execution/unexpected-raw-socket.sql
+++ b/detection/execution/unexpected-raw-socket.sql
@ -6,18 +6,38 @@
 -- tags: transient process state
 -- platform: posix
 SELECT
-  pop.pid,
-  p.path,
-  p.cmdline,
-  p.name,
-  hash.sha256
+  pop.*,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
  process_open_sockets pop
-  JOIN processes p ON pop.pid = p.pid
-  JOIN hash ON p.path = hash.path
+  LEFT JOIN processes p0 ON pop.pid = p0.pid
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  family = 17 -- PF_PACKET
-  AND name NOT IN (
+  pop.family = 17 -- PF_PACKET
+  AND p0.name NOT IN (
    'wpa_supplicant',
    'NetworkManager',
    'dhcpcd',
--- a/detection/execution/unexpected-root-signer-macos.sql
+++ b/detection/execution/unexpected-root-signer-macos.sql
@ -8,6 +8,7 @@ SELECT
  p.path,
  p.euid,
  p.gid,
+  p.cwd,
  f.ctime,
  f.directory AS dir,
  REGEX_MATCH (p.path, '(/.*?/.*?)/', 1) AS top_dir,
--- a/detection/execution/unexpected-sysutils-linux.sql
+++ b/detection/execution/unexpected-sysutils-linux.sql
@ -10,6 +10,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/unexpected-sysutils-macos.sql
+++ b/detection/execution/unexpected-sysutils-macos.sql
@ -10,6 +10,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  s.authority AS p0_authority,
--- a/detection/execution/unexpected-xattr-calls-macos.sql
+++ b/detection/execution/unexpected-xattr-calls-macos.sql
@ -11,6 +11,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  s.authority AS p0_authority,
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@ -15,6 +15,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
@ -197,6 +198,7 @@ WHERE

    OR exception_key IN (
      'bash,0,pia-daemon,launchd',
+      'bash,0,udevadm,udevadm',
      'zsh,500,python3.10,gnome-shell'
    )
    OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -17,6 +17,7 @@ SELECT
  p.pid,
  p.cgroup_path,
  p.parent,
+  p.cwd,
  pp.name AS parent_name,
  pp.path AS parent_path,
  pp.cmdline AS parent_cmd,
--- a/detection/persistence/unexpected-systemctl-calls-linux.sql
+++ b/detection/persistence/unexpected-systemctl-calls-linux.sql
@ -11,6 +11,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -9,40 +9,46 @@
 -- tags: persistent process state
 -- platform: linux
 SELECT
-  p.pid,
-  p.name,
-  p.path,
-  p.euid,
-  p.gid,
-  p.cgroup_path,
-  f.ctime,
-  f.directory AS dirname,
-  p.cmdline,
-  p.cgroup_path,
-  mnt_namespace,
-  hash.sha256,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline
+  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
+  (strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
+  -- Child
+  p0.pid AS p0_pid,
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
-  LEFT JOIN file f ON p.path = f.path
-  LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN processes pp ON p.parent = pp.pid
+  processes p0
+  LEFT JOIN file f ON p0.path = f.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p.uid = 0
-  AND (strftime('%s', 'now') - p.start_time) > 15 -- use osquery as the reference mount namespace
-  AND mnt_namespace IN (
-    SELECT DISTINCT
-      (mnt_namespace)
-    FROM
-      process_namespaces
-      JOIN processes ON processes.pid = process_namespaces.pid
-    WHERE
-      processes.name IN ('osqueryi', 'osqueryd')
-  )
-  AND p.path NOT IN (
+  p0.euid = 0
+  AND p0.parent > 0
+  AND (strftime('%s', 'now') - p0.start_time) > 15
+  AND p0.path NOT IN (
    '',
    '/sbin/apcupsd',
    '/sbin/mount.ntfs',
@ -50,9 +56,22 @@ WHERE
    '/usr/bin/abrt-dump-journal-oops',
    '/usr/bin/abrt-dump-journal-xorg',
    '/usr/bin/anacron',
+    '/usr/bin/NetworkManager',
+    '/usr/lib/upowerd',
+    '/usr/bin/fusermount3',
    '/usr/bin/apcupsd',
    '/usr/bin/bash',
    '/usr/bin/clamscan',
+    '/usr/lib/fwupd/fwupd',
+    '/usr/lib/accounts-daemon',
+    '/usr/lib/systemd/systemd-logind',
+    '/usr/lib/boltd',
+    '/usr/lib/power-profiles-daemon',
+    '/usr/bin/udevadm',
+    '/usr/bin/doas',
+    '/usr/bin/auditd',
+    '/usr/lib/boltd',
+    '/usr/lib/bluetooth/bluetoothd',
    '/usr/bin/containerd',
    '/usr/bin/containerd-shim-runc-v2',
    '/usr/bin/crond',
@ -135,7 +154,7 @@ WHERE
    '/usr/sbin/zed'
  )
  -- Because I don't want to whitelist all of Python3
-  AND p.cmdline NOT IN (
+  AND p0.cmdline NOT IN (
    '/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held',
    '/sbin/init splash',
    '/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid',
@ -151,14 +170,15 @@ WHERE
    '/usr/bin/xargs',
    'xargs logger -s'
  )
-  AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
-  AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'
-  AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/yum %'
-  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
-  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
-  AND p.path NOT LIKE '/nix/store/%/bin/%'
-  AND p.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%'
-  AND p.path NOT LIKE '/nix/store/%/libexec/%'
-  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'
+  AND NOT p0.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
+  AND NOT p0.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'
+  AND NOT p0.cmdline LIKE '/usr/bin/python3 /usr/bin/yum %'
+  AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
+  AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
+  AND p0.path NOT LIKE '/nix/store/%/bin/%'
+  AND p0.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%'
+  AND p0.path NOT LIKE '/nix/store/%/libexec/%'
+  AND p0.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'
  -- Exclude processes running inside of Docker containers
-  AND NOT p.cgroup_path LIKE '/system.slice/docker-%';
+  AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
+GROUP BY p0.pid
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@ -9,27 +9,44 @@
 -- tags: persistent process state
 -- platform: darwin
 SELECT
-  p.pid,
-  p.name,
-  p.path,
-  p.euid,
-  p.gid,
-  f.ctime,
-  f.directory AS dirname,
-  p.cmdline,
-  hash.sha256,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline,
-  signature.identifier,
-  signature.authority
+  s.authority AS p0_auth,
+  s.identifier AS p0_id,
+  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
+  (strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
-  LEFT JOIN file f ON p.path = f.path
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN signature ON p.path = signature.path
+  processes p0
+  LEFT JOIN file f ON p0.path = f.path
+  LEFT JOIN signature s ON p0.path = s.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p.uid = 0
+  p0.euid = 0
  AND (strftime('%s', 'now') - p.start_time) > 15
  AND p.path NOT IN (
    '/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService',
--- a/detection/privesc/setxid-cmdline-overflow-attempt.sql
+++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql
@ -1,26 +1,49 @@
 -- Find setuid events with large cmdlines
 --
 -- platform: posix
-- interval: 60
+-- interval: 300
 SELECT
-  p.pid AS child_pid,
-  p.path AS child_path,
-  REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
-  p.cmdline AS child_cmdline,
-  p.auid AS child_auid,
-  p.euid AS child_euid,
-  file.mode AS child_mode,
-  p.parent AS parent_pid,
-  pp.cmdline AS parent_cmdline,
-  p.cmdline_size
+  file.mode AS p0_binary_mode,
+  pe.cmdline_size AS p0_cmd_size,
+  -- Child
+  pe.path AS p0_path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
+  pe.pid AS p0_pid,
+  pe.euid AS p0_euid,
+  p.cgroup_path AS p0_cgroup,
+  -- Parent
+  pe.parent AS p1_pid,
+  p1.cgroup_path AS p1_cgroup,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
+  -- Grandparent
+  COALESCE(p1.parent, pe1.parent) AS p2_pid,
+  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
+  TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
+  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
+  COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
+  REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name
 FROM
-  process_events p
-  JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN file ON p.path = file.path
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = pfile.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  process_events pe
+  LEFT JOIN file ON pe.path = file.path
+  LEFT JOIN processes p ON pe.pid = p.pid
+  -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+  -- Grandparents (via 3 paths)
+  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
+  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
+  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
+  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
+  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
+  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  p.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -300)
  AND file.mode NOT LIKE '0%'
-  AND p.cmdline_size > 2048
+  AND pe.cmdline_size > 2048
--- a/detection/privesc/setxid-env-overflow-attempt.sql
+++ b/detection/privesc/setxid-env-overflow-attempt.sql
@ -13,24 +13,49 @@
 -- Uncomment once the underlying problem is addressed:
 -- XintervalX: 60
 SELECT
-  p.pid AS child_pid,
-  p.path AS child_path,
-  REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
-  p.cmdline AS child_cmdline,
-  p.euid AS child_euid,
-  file.mode AS child_mode,
-  p.parent AS parent_pid,
-  pp.cmdline AS parent_cmdline,
-  p.env,
-  p.env_size
+  file.mode AS p0_binary_mode,
+  pe.env AS p0_env,
+  pe.env_size AS p0_env_size,
+  -- Child
+  pe.path AS p0_path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  pe.euid AS p0_euid,
+  pe.cwd AS p0_cwd,
+  pe.pid AS p0_pid,
+  p.cgroup_path AS p0_cgroup,
+  -- Parent
+  pe.parent AS p1_pid,
+  p1.cgroup_path AS p1_cgroup,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
+  -- Grandparent
+  COALESCE(p1.parent, pe1.parent) AS p2_pid,
+  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
+  TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
+  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
+  COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
+  REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name
 FROM
-  process_events p
-  JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN file ON p.path = file.path
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = pfile.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  process_events pe
+  LEFT JOIN file ON pe.path = file.path
+  LEFT JOIN processes p ON pe.pid = p.pid
+  -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+
+  -- Grandparents (via 3 paths)
+  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
+  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
+  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
+  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
+  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
+  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  p.time > (strftime('%s', 'now') -60)
+  pe.time > (strftime('%s', 'now') -60)
  AND file.mode NOT LIKE '0%'
-  AND p.env_size > 3500
+  AND pe.env_size > 3500
--- a/detection/privesc/unexpected-elevated-children-events_linux.sql
+++ b/detection/privesc/unexpected-elevated-children-events_linux.sql
@ -9,36 +9,52 @@
 --
 -- tags: events process escalation
 -- platform: linux
-- interval: 30
+-- interval: 60
 SELECT
-  p.pid AS child_pid,
-  p.path AS child_path,
-  REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name,
-  p.cmdline AS child_cmdline,
-  p.time,
-  pp.cgroup_path,
-  pp.start_time,
-  p.euid AS child_euid,
-  file.mode AS child_mode,
-  hash.sha256 AS child_hash,
-  p.parent AS parent_pid,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline,
-  pp.euid AS parent_euid,
-  pfile.mode AS parent_mode,
-  phash.sha256 AS parent_hash
+  file.mode AS p0_binary_mode,
+  pe.cmdline_size AS p0_cmd_size,
+  -- Child
+  pe.path AS p0_path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
+  pe.pid AS p0_pid,
+  p.cgroup_path AS p0_cgroup,
+  -- Parent
+  pe.parent AS p1_pid,
+  p1.cgroup_path AS p1_cgroup,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p1.euid, pe1.euid) AS p1_euid,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
+  -- Grandparent
+  COALESCE(p1.parent, pe1.parent) AS p2_pid,
+  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
+  TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
+  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
+  COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
+  REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name
 FROM
-  process_events p
-  JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN file ON p.path = file.path
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = pfile.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  process_events pe
+  LEFT JOIN file ON pe.path = file.path
+  LEFT JOIN processes p ON pe.pid = pe.pid
+  -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+  -- Grandparents (via 3 paths)
+  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
+  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
+  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
+  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
+  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
+  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  p.time > (strftime('%s', 'now') -30)
-  AND p.euid < pp.euid
-  AND p.path NOT IN (
+  pe.time > (strftime('%s', 'now') -60)
+  AND pe.euid < p1_euid
+  AND pe.path NOT IN (
    '/',
    '/bin/ps',
    '/usr/bin/doas',
@ -60,29 +76,29 @@ WHERE
    '/usr/lib/Xorg.wrap',
    '/usr/lib/xorg/Xorg.wrap'
  )
-  AND p.path NOT LIKE '/nix/store/%/bin/sudo'
-  AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
-  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
-  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-update-ns'
-  AND NOT pp.cmdline IN (
+  AND pe.path NOT LIKE '/nix/store/%/bin/sudo'
+  AND pe.path NOT LIKE '/nix/store/%/bin/dhcpcd'
+  AND pe.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
+  AND pe.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-update-ns'
+  AND NOT p1_cmd IN (
    '/usr/lib/systemd/systemd --user',
    '/bin/sh -c /usr/bin/pkexec /usr/share/apport/apport-gtk'
  )
  -- used by kind
  AND NOT (
-    p.path = '/usr/bin/bash'
-    AND p.cmdline = '/bin/bash /usr/local/bin/mount-product-files'
+    pe.path = '/usr/bin/bash'
+    AND pe.cmdline = '/bin/bash /usr/local/bin/mount-product-files'
  )
  AND NOT (
-    child_name = 'polkit-agent-helper-1'
-    AND parent_path = '/usr/bin/gnome-shell'
+    p0_name = 'polkit-agent-helper-1'
+    AND p1_path = '/usr/bin/gnome-shell'
  )
  AND NOT (
-    child_name = 'fusermount3'
-    AND parent_path = '/usr/lib/xdg-document-portal'
+    p0_name = 'fusermount3'
+    AND p1_path = '/usr/lib/xdg-document-portal'
  )
  AND NOT (
-    child_name IN ('dash', 'pkexec')
-    AND parent_path = '/usr/bin/update-notifier'
+    p0_name IN ('dash', 'pkexec')
+    AND p1_path = '/usr/bin/update-notifier'
  )
-  AND NOT cgroup_path LIKE '/system.slice/docker-%'
+  AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
--- a/detection/privesc/unexpected-elevated-children-events_macos.sql
+++ b/detection/privesc/unexpected-elevated-children-events_macos.sql
@ -15,6 +15,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  p.cgroup_path AS p0_cgroup,
--- a/detection/privesc/unexpected-privilege-escalation_linux.sql
+++ b/detection/privesc/unexpected-privilege-escalation_linux.sql
@ -10,31 +10,39 @@
 -- tags: transient rapid state process escalation
 -- platform: linux
 SELECT
-  p.pid AS child_pid,
-  p.path AS child_path,
-  p.name AS child_name,
-  p.cmdline AS child_cmdline,
-  p.euid AS child_euid,
-  p.state AS child_state,
-  file.mode AS child_mode,
-  hash.sha256 AS child_hash,
-  p.parent AS parent_pid,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline,
-  pp.euid AS parent_euid,
-  pfile.mode AS parent_mode,
-  phash.sha256 AS parent_hash
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
-  JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN file ON p.path = file.path
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = pfile.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  processes p0
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p.euid < p.uid
-  AND p.path NOT IN (
+  p0.euid < p0.uid
+  AND p0.path NOT IN (
    '/bin/ps',
    '/usr/bin/doas',
    '/usr/bin/fusermount',
@ -45,22 +53,22 @@ WHERE
    '/usr/bin/sudo',
    '/usr/bin/top'
  )
-  AND p.path NOT LIKE '/nix/store/%/bin/sudo'
-  AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
-  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
+  AND p0.path NOT LIKE '/nix/store/%/bin/sudo'
+  AND p0.path NOT LIKE '/nix/store/%/bin/dhcpcd'
+  AND p0.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
  AND NOT (
-    p.name = 'polkit-agent-he'
-    AND parent_path = '/usr/bin/gnome-shell'
+    p0.name = 'polkit-agent-he'
+    AND p1.path = '/usr/bin/gnome-shell'
  )
  AND NOT (
-    p.name = 'fusermount3'
-    AND parent_path = '/usr/lib/xdg-document-portal'
+    p0.name = 'fusermount3'
+    AND p1.path = '/usr/lib/xdg-document-portal'
  )
  AND NOT (
-    p.path = '/usr/bin/pkexec'
-    AND parent_path = '/usr/bin/update-notifier'
+    p0.path = '/usr/bin/pkexec'
+    AND p1.path = '/usr/bin/update-notifier'
  )
  AND NOT (
-    p.path = '/usr/libexec/xdg-permission-store'
-    AND parent_path = '/usr/lib/systemd/systemd'
+    p0.path = '/usr/libexec/xdg-permission-store'
+    AND p1.path = '/usr/lib/systemd/systemd'
  )
--- a/detection/privesc/unexpected-privilege-escalation_macos.sql
+++ b/detection/privesc/unexpected-privilege-escalation_macos.sql
@ -10,31 +10,42 @@
 -- tags: transient rapid state process escalation
 -- platform: darwin
 SELECT
-  p.pid AS child_pid,
-  p.path AS child_path,
-  p.name AS child_name,
-  p.cmdline AS child_cmdline,
-  p.euid AS child_euid,
-  p.state AS child_state,
-  file.mode AS child_mode,
-  hash.sha256 AS child_hash,
-  p.parent AS parent_pid,
-  pp.path AS parent_path,
-  pp.name AS parent_name,
-  pp.cmdline AS parent_cmdline,
-  pp.euid AS parent_euid,
-  pfile.mode AS parent_mode,
-  phash.sha256 AS parent_hash
+  s.authority AS p0_auth,
+  s.identifier AS p0_id,
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1_f.mode AS p1_mode,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
-  JOIN processes pp ON p.parent = pp.pid
-  LEFT JOIN file ON p.path = file.path
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = pfile.path
-  LEFT JOIN hash AS phash ON pp.path = phash.path
+  processes p0
+  LEFT JOIN signature s ON p0.path = s.path
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN file p1_f ON p1.path = p1_f.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p.euid < p.uid
-  AND p.path NOT IN (
+  p0.euid < p0.uid
+  AND p0.path NOT IN (
    '',
    '/bin/ps',
    '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
--- a/fragments/process_event_parents.sql
+++ b/fragments/process_event_parents.sql
@ -0,0 +1,40 @@
+-- Canonical example of including process parents from process_events
+SELECT
+  -- Child
+  pe.path AS p0_path,
+  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  pe.cwd AS p0_cwd,
+  pe.pid AS p0_pid,
+  pe.euid AS p0_euid,
+  p.cgroup_path AS p0_cgroup,
+  -- Parent
+  pe.parent AS p1_pid,
+  p1.cgroup_path AS p1_cgroup,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
+  -- Grandparent
+  COALESCE(p1.parent, pe1.parent) AS p2_pid,
+  COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
+  TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
+  COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
+  COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
+  REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name
+FROM
+  process_events pe
+  LEFT JOIN file ON pe.path = file.path
+  LEFT JOIN processes p ON pe.pid = p.pid
+  -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+  -- Grandparents (via 3 paths)
+  LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
+  LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
+  LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
+  LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
+  LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
+  LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
--- a/fragments/process_parents.sql
+++ b/fragments/process_parents.sql
@ -0,0 +1,32 @@
+-- Canonical example of information to include for processes
+SELECT
+  -- Child
+  p0.path AS p0_path,
+  p0.name AS p0_name,
+  p0.cmdline AS p0_cmd,
+  p0.cwd AS p0_cwd,
+  p0.cgroup_path AS p0_cgroup,
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
+FROM
+  process_open_sockets pop
+  LEFT JOIN processes p0 ON pop.pid = p0.pid
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
+WHERE