In [None]:
import duckdb
import numpy as np
import pandas as pd
from tqdm.auto import tqdm

In [None]:
db = duckdb.connect(":memory:")
db

In [None]:
db.execute("create or replace view process as select * from read_parquet('/data/acme3/stdview-20231105-20231120/process.parquet')")

In [None]:
db.execute("create or replace view process_path as select * from read_parquet('/data/acme3/stdview-20231105-20231120/process_path.parquet')")

In [None]:
db.execute("describe process").df()

In [None]:
%%time
df = db.execute("select hostname, pid_hash, parent_pid_hash, process_name, args from process").df()
df

In [None]:
%%time
wintaps = df.loc[df["process_name"] == "wintap.exe"]
wintaps

In [None]:
wintaps["hostname"].value_counts()

In [None]:
children0 = pd.merge(df, wintaps[["pid_hash"]], left_on="parent_pid_hash", right_on="pid_hash", how="inner", suffixes=("", "_discard"))
children0

In [None]:
children0["process_name"].value_counts()

In [None]:
children1 = pd.merge(df, children0[["pid_hash"]], left_on="parent_pid_hash", right_on="pid_hash", how="inner", suffixes=("", "_discard"))
children1

In [None]:
children1.loc[children1["process_name"] == "winlogon.exe"]

In [None]:
df.loc[df["pid_hash"] == "E68DD57B8393A2E74C988AA32614C16C"]

In [None]:
db.sql("describe process_path").df()

In [None]:
num_processes = np.sum(db.sql("select count(*) as num from process union select count(*) from process_path").df()["num"])
num_processes

In [None]:
wintaps = db.sql(
    """
    select hostname, pid_hash, parent_pid_hash, process_name, ptree
    from process_path
    where ptree like '%wintap%'
    """
).df()
wintaps

In [None]:
wintaps.shape[0] / num_processes

In [None]:
amazon_ssm = db.sql(
    """
    select hostname, pid_hash, parent_pid_hash, process_name, ptree
    from process_path
    where ptree like '%amazon-ssm%'
    """
).df()
amazon_ssm

In [None]:
interesting = db.sql(
    """
    select hostname, pid_hash, parent_pid_hash, process_name, ptree
    from process_path
    where ptree not like '%wintap%' and ptree not like '%amazon-ssm%'
    """
).df()
interesting

In [None]:
process_cmdlines = db.sql(
    """
    select process.process_path, process.args
    from process
    inner join process_path using (pid_hash)
    where process_path.ptree not like '%wintap%' and process_path.ptree not like '%amazon-ssm%'
    """
).df().fillna("")
process_cmdlines

In [None]:
cmdlines = (process_cmdlines["process_path"] + " " + process_cmdlines["args"]).str.strip()
cmdlines.value_counts().to_frame()