-- Programs which were spawned by an executable containing a matching ctime & mtime, which -- on Linux only generally occurs occurs if you run 'touch ' -- NOTE: This is not suitable as a detection method on macOS, where this condition is extremely common SELECT p.pid, p.path, p.name, p.cmdline, p.cwd, p.euid, p.parent, f.ctime, f.btime, f.mtime, p.start_time, pp.path AS parent_path, pp.cmdline AS parent_cmd, pp.cwd AS parent_cwd, hash.sha256 AS sha256 FROM processes p LEFT JOIN file f ON p.path = f.path LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON p.path = hash.path WHERE f.ctime = f.mtime AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' AND f.path NOT LIKE '/snap/%' AND f.path NOT LIKE '/home/%/go/bin/%' AND f.path NOT LIKE '/home/%/.rustup/%' AND f.path NOT LIKE '/home/eddiezane/.local/share/JetBrains/Toolbox/bin/%' AND f.path NOT LIKE '/home/%/.cache/cloud-code/bin/%' GROUP by p.pid