From eedfdfb23d12336342fb8e7228a4c65d71e4614a Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 21 Oct 2022 17:38:29 -0400
Subject: [PATCH] Fix table joins: hash->phash

---
 detection/privesc/unexpected-privilege-escalation-events.sql | 4 ++--
 detection/privesc/unexpected-privilege-escalation.sql        | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/detection/privesc/unexpected-privilege-escalation-events.sql b/detection/privesc/unexpected-privilege-escalation-events.sql
index c7cf69a..9b00ef0 100644
--- a/detection/privesc/unexpected-privilege-escalation-events.sql
+++ b/detection/privesc/unexpected-privilege-escalation-events.sql
@@ -30,8 +30,8 @@ FROM
   JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN file ON p.path = file.path
   LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = file.path
-  LEFT JOIN hash AS phash ON pp.path = hash.path
+  LEFT JOIN file AS pfile ON pp.path = pfile.path
+  LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
   p.time > (strftime('%s', 'now') -30)
   AND p.euid < pp.euid
diff --git a/detection/privesc/unexpected-privilege-escalation.sql b/detection/privesc/unexpected-privilege-escalation.sql
index 2d4ea21..8d14db1 100644
--- a/detection/privesc/unexpected-privilege-escalation.sql
+++ b/detection/privesc/unexpected-privilege-escalation.sql
@@ -30,8 +30,8 @@ FROM
   JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN file ON p.path = file.path
   LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN file AS pfile ON pp.path = file.path
-  LEFT JOIN hash AS phash ON pp.path = hash.path
+  LEFT JOIN file AS pfile ON pp.path = pfile.path
+  LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
   p.euid < pp.euid
   AND p.path NOT IN (