T1027.004 Compile After Delivery

Required Tables

process_events

Returned Fields

Field	Description
timestamp	date timestamp as a string generated from a unix timestamp
fn	program responsible for compiling
path	path for the process event
arguments	arguments used for the compilation

Query

WITH progs as (
    SELECT
        unix_nano_timestamp,
        reverse(split_part(reverse(process_events.path), '/', 1)) as fn,
        path,
        arguments
    FROM process_events
    WHERE event_type=0
)
SELECT
    FROM_UNIXTIME(unix_nano_timestamp/1e9),
    fn, 
    path, 
    arguments
FROM progs
WHERE (
    fn = 'go' AND (
        CONTAINS(arguments, 'build') OR CONTAINS(arguments, 'run')
    )
) OR fn LIKE 'javac%' 
    OR fn LIKE 'gcc%' 
    OR fn LIKE 'clang%' 
    OR fn LIKE 'g++%' 
    OR fn LIKE 'lcc%' 
    OR fn LIKE 'icc%' 
    OR fn LIKE 'bcc%' 
    OR fn LIKE 'cc%'