-- Events version of sketchy-fetchers -- Designed for execution every 5 minutes SELECT p.pid, p.path, p.mode, p.cwd, p.euid, p.parent, p.syscall, pp.path AS parent_path, pp.name AS parent_name, pp.cmdline AS parent_cmdline, pp.euid AS parent_euid, hash.sha256 AS parent_sha256 FROM process_events p LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON pp.path = hash.path WHERE ( p.cmdline LIKE "%.onion%" OR p.cmdline LIKE "%tor2web%" OR p.cmdline LIKE "%aliyun%" OR p.cmdline LIKE "%pastebin%" OR p.cmdline LIKE "%curl %/.%" OR p.cmdline LIKE "%curl %.0%" OR p.cmdline LIKE "%curl %.1%" OR p.cmdline LIKE "%curl %.2%" OR p.cmdline LIKE "%curl %.3%" OR p.cmdline LIKE "%curl %.4%" OR p.cmdline LIKE "%curl %.5%" OR p.cmdline LIKE "%curl %.6%" OR p.cmdline LIKE "%curl %.7%" OR p.cmdline LIKE "%curl %.8%" OR p.cmdline LIKE "%curl %.9%" OR p.cmdline LIKE "%curl %:0%" OR p.cmdline LIKE "%curl %:1%" OR p.cmdline LIKE "%curl %:2%" OR p.cmdline LIKE "%curl %:3%" OR p.cmdline LIKE "%curl %:4%" OR p.cmdline LIKE "%curl %:5%" OR p.cmdline LIKE "%curl %:6%" OR p.cmdline LIKE "%curl %:7%" OR p.cmdline LIKE "%curl %:8%" OR p.cmdline LIKE "%curl %:9%" OR p.cmdline LIKE "%curl %--user-agent%" OR p.cmdline LIKE "%curl -fsSL%" OR p.cmdline LIKE "%curl -k%" OR p.cmdline LIKE "%curl%--insecure%" OR p.cmdline LIKE "%wget %/.%" OR p.cmdline LIKE "%wget %.0%" OR p.cmdline LIKE "%wget %.1%" OR p.cmdline LIKE "%wget %.2%" OR p.cmdline LIKE "%wget %.3%" OR p.cmdline LIKE "%wget %.4%" OR p.cmdline LIKE "%wget %.5%" OR p.cmdline LIKE "%wget %.6%" OR p.cmdline LIKE "%wget %.7%" OR p.cmdline LIKE "%wget %.8%" OR p.cmdline LIKE "%wget %.9%" OR p.cmdline LIKE "%wget %--user-agent%" OR p.cmdline LIKE "%wget %--no-check-certificate%" ) AND p.cmdline NOT LIKE "%If-None-Match%" AND p.cmdline NOT LIKE "%ctlog%" AND p.cmdline NOT LIKE "%.well-known/openid-configuration%" AND p.cmdline NOT LIKE "--progress-bar" AND parent_name NOT IN ('makepkg') AND parent_cmdline NOT LIKE "%brew.rb%" AND parent_cmdline NOT LIKE "%brew.sh%"