From 00a9f6450ba53383814ba50c77893f675071a66c Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 26 Jul 2024 13:26:37 -0400 Subject: [PATCH] fpr: sddm-helper, smartd, Xorg, elastic, WebEx, BambuStudio, keepass, etc --- Makefile | 2 +- detection/c2/unexpected-https-linux.sql | 87 ++++---- detection/c2/unexpected-https-macos.sql | 1 + detection/c2/unexpected-talkers-linux.sql | 1 + detection/c2/unexpected-talkers-macos.sql | 13 +- .../collection/high-disk-bytes-written.sql | 4 +- .../discovery/unexpected-pcap-user-macos.sql | 1 + detection/evasion/hidden-cwd.sql | 1 + .../unexpected-hidden-system-paths.sql | 9 + .../evasion/unusual-process-name-macos.sql | 1 + .../unexpected-shell-parents.sql | 1 + .../unexpected-chrome-extensions.sql | 204 +++++++++--------- .../persistence/unexpected-global-lock.sql | 2 +- .../unexpected-listening-port-macos.sql | 5 +- .../unexpected-uid0-daemon-linux.sql | 15 +- 15 files changed, 185 insertions(+), 162 deletions(-) diff --git a/Makefile b/Makefile index 31ebaba..6b0d680 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ reformat: .PHONY: reformat-updates reformat-updates: - git status -s | awk '{ print $$2 }' | grep ".sql" | perl -ne 'chomp; system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");' + git status -s | awk '{ print $$2 }' | grep ".sql" | perl -ne 'chomp; print("$$_\n"); system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");' .PHONY: detect detect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index 49e1a27..f4b21d0 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -57,6 +57,8 @@ WHERE AND s.remote_address NOT LIKE 'fc00:%' AND p.path != '' AND NOT exception_key IN ( + '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '0,agentbeat,0u,0g,agentbeat', '0,apk,u,g,apk', '0,applydeltarpm,0u,0g,applydeltarpm', '0,bash,0u,0g,bash', @@ -69,6 +71,7 @@ WHERE '0,dirmngr,0u,0g,dirmngr', '0,dockerd,0u,0g,dockerd', '0,elastic-agent,0u,0g,elastic-agent', + '0,elastic-agent,u,g,elastic-agent', '0,elastic-endpoint,0u,0g,elastic-endpoin', '0,filebeat,0u,0g,filebeat', '0,flatpak-system-helper,0u,0g,flatpak-system-', @@ -91,25 +94,14 @@ WHERE '0,packagekitd,0u,0g,packagekitd', '0,packetbeat,0u,0g,packetbeat', '0,pacman,0u,0g,pacman', - '0,python3.10,0u,0g,dnf', - '0,python3.10,0u,0g,dnf-automatic', - '0,python3.10,0u,0g,yum', - '0,python3.11,0u,0g,dnf', - '0,python3.11,0u,0g,dnf-automatic', - '0,python3.11,0u,0g,yum', - '0,python3.12,0u,0g,dnf', - '0,python3.12,0u,0g,dnf-automatic', - '0,python3.12,0u,0g,yum', '0,rapid7_endpoint_broker,0u,0g,rapid7_endpoint', '0,rpi-imager,0u,0g,rpi-imager', '0,snapd,0u,0g,snapd', '0,systemctl,0u,0g,systemctl', '0,tailscaled,0u,0g,tailscaled', '0,tailscaled,500u,500g,tailscaled', - '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', '0,velociraptor,0u,0g,velociraptor_cl', '0,yay,0u,0g,yay', - '500,python3.11,u,g,pip', '105,http,0u,0g,https', '106,geoclue,0u,0g,geoclue', '115,geoclue,0u,0g,geoclue', @@ -117,21 +109,33 @@ WHERE '128,fwupdmgr,0u,0g,fwupdmgr', '129,fwupdmgr,0u,0g,fwupdmgr', '42,http,0u,0g,https', - '500,podman,0u,0g,podman', '500,1password,0u,0g,1password', + '500,Brackets,0u,0g,Brackets', + '500,Discord,0u,0g,Discord', + '500,Discord,u,g,Discord', + '500,Docker Desktop,0u,0g,Docker Desktop', + '500,Keybase,0u,0g,Keybase', + '500,Logseq,u,g,Logseq', + '500,Melvor Idle,500u,500g,exe', + '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', + '500,WPILibInstaller,500u,500g,WPILibInstaller', + '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', + '500,___go_build_main_go,500u,500g,___go_build_mai', '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', + '500,accountwizard,u,g,accountwizard', '500,act,0u,0g,act', '500,apk,500u,500g,apk', + '500,apk,u,g,apk', '500,apko,500u,500g,apko', '500,apko,u,g,apko', - '500,apk,u,g,apk', + '500,armcord,u,g,armcord', '500,aws,0u,0g,aws', '500,aws,500u,500g,aws', '500,bash,0u,0g,bash', '500,beeper,u,g,beeper', + '500,bitwarden,u,g,bitwarden', '500,bom,500u,500g,bom', '500,bom-linux-amd64,500u,500g,bom-linux-amd64', - '500,Brackets,0u,0g,Brackets', '500,brave,0u,0g,brave', '500,buildkitd,500u,500g,buildkitd', '500,buildkite-agent,500u,500g,buildkite-agent', @@ -144,13 +148,14 @@ WHERE '500,chainctl,500u,500g,chainctl', '500,chainctl,500u,500g,docker-credenti', '500,chrome,0u,0g,chrome', - '500,chrome_crashpad_handler,0u,0g,chrome_crashpad', '500,chrome,u,g,chrome', + '500,chrome_crashpad_handler,0u,0g,chrome_crashpad', '500,cilium,500u,123g,cilium', '500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', '500,code,0u,0g,code', '500,code,500u,500g,code', '500,code,u,g,code', + '500,code-oss,u,g,code-oss', '500,com.docker.backend,0u,0g,com.docker.back', '500,com.docker.extensions,0u,0g,com.docker.exte', '500,containerd,u,g,containerd', @@ -162,20 +167,19 @@ WHERE '500,crane,500u,500g,crane', '500,curl,0u,0g,curl', '500,deno,500u,500g,deno', - '500,Discord,0u,0g,Discord', - '500,Discord,u,g,Discord', '500,docker,0u,0g,docker', '500,docker-buildx,0u,0g,docker-buildx', - '500,Docker Desktop,0u,0g,Docker Desktop', + '500,drkonqi,0u,0g,drkonqi', '500,eksctl,0u,0g,eksctl', '500,eksctl,500u,500g,eksctl', '500,electron,0u,0g,electron', '500,evolution-addressbook-factory,0u,0g,evolution-addre', '500,evolution-calendar-factory,0u,0g,evolution-calen', '500,evolution-source-registry,0u,0g,evolution-sourc', - '500,firefox,0u,0g,firefox', + '500,extension-manager,0u,0g,extension-manag', '500,firefox,0u,0g,.firefox-wrappe', '500,firefox,0u,0g,Socket Process', + '500,firefox,0u,0g,firefox', '500,firefox-bin,500u,500g,firefox-bin', '500,firefox-bin,u,g,firefox-bin', '500,flameshot,0u,0g,flameshot', @@ -186,14 +190,15 @@ WHERE '500,gcsfuse,500u,500g,gcsfuse', '500,gdb,0u,0g,gdb', '500,geoclue,0u,0g,geoclue', - '500,gh-dash,500u,500g,gh-dash', '500,gh,0u,0g,gh', + '500,gh-dash,500u,500g,gh-dash', '500,git,0u,0g,git', '500,git-remote-http,0u,0g,git-remote-http', '500,git-remote-http,u,g,git-remote-http', '500,gitsign,0u,0g,gitsign', '500,gitsign,500u,0g,gitsign', '500,gitsign,500u,500g,gitsign', + '500,gitsign,u,g,gitsign', '500,gitsign-credential-cache,500u,500g,gitsign-credent', '500,gjs-console,0u,0g,org.gnome.Maps', '500,gnome-recipes,0u,0g,gnome-recipes', @@ -201,10 +206,9 @@ WHERE '500,gnome-software,0u,0g,gnome-software', '500,go,0u,0g,go', '500,go,500u,500g,go', - '500,goa-daemon,0u,0g,goa-daemon', - '500,___go_build_main_go,500u,500g,___go_build_mai', - '500,gobuster,500u,500g,gobuster', '500,go,u,g,go', + '500,goa-daemon,0u,0g,goa-daemon', + '500,gobuster,500u,500g,gobuster', '500,grafana,u,g,grafana', '500,grype,0u,0g,grype', '500,grype,500u,500g,grype', @@ -224,7 +228,6 @@ WHERE '500,k6,500u,500g,k6', '500,kbfsfuse,0u,0g,kbfsfuse', '500,keybase,0u,0g,keybase', - '500,Keybase,0u,0g,Keybase', '500,kioslave5,0u,0g,kioslave5', '500,ko,500u,500g,ko', '500,ko,u,g,ko', @@ -236,49 +239,42 @@ WHERE '500,less,0u,0g,less', '500,license-detector,500u,500g,license-detecto', '500,limactl,0u,0g,limactl', - '500,Logseq,u,g,Logseq', '500,losslesscut,500u,500g,losslesscut', '500,mconvert,500u,500g,mconvert', '500,mediawriter,u,g,mediawriter', '500,melange,500u,500g,melange', '500,melange,u,g,melange', - '500,Melvor Idle,500u,500g,exe', '500,minikube,0u,0g,minikube', + '500,nami,500u,500g,nami', '500,nautilus,0u,0g,nautilus', '500,nerdctl,500u,500g,nerdctl', '500,nix,0u,0g,nix', - '500,node,0u,0g,node', '500,node,0u,0g,.node2nix-wrapp', + '500,node,0u,0g,node', '500,node,0u,0g,npm install', '500,node,500u,500g,npm run start', '500,node,u,g,node', '500,nuclei,500u,500g,nuclei', '500,obs,0u,0g,obs', + '500,obs,u,g,obs', '500,obs-browser-page,0u,0g,obs-browser-pag', '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux', '500,obsidian,0u,0g,obsidian', - '500,nami,500u,500g,nami', '500,obsidian,u,g,obsidian', - '500,gitsign,u,g,gitsign', - '500,code-oss,u,g,code-oss', - '500,plasma-discover,0u,0g,plasma-discover', - '500,bitwarden,u,g,bitwarden', - '500,extension-manager,0u,0g,extension-manag', - '500,accountwizard,u,g,accountwizard', - '500,drkonqi,0u,0g,drkonqi', - '500,thunderbird-bin,u,g,thunderbird-bin', - '500,obs,u,g,obs', - '500,extension-manager,0u,0g,extension-manag', '500,op,0u,500g,op', '500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p', '500,pacman,0u,0g,pacman', '500,php,0u,0g,php', '500,php8.1,0u,0g,php', '500,pingsender,0u,0g,pingsender', + '500,plasma-discover,0u,0g,plasma-discover', + '500,podman,0u,0g,podman', '500,promoter,500u,500g,promoter', '500,publish-release,500u,500g,publish-release', + '500,python.test,500u,500g,python.test', '500,python3,0u,0g,python3', + '500,python3,500u,500g,python3', '500,python3.10,0u,0g,aws', '500,python3.10,0u,0g,python', '500,python3.10,0u,0g,python3', @@ -287,9 +283,8 @@ WHERE '500,python3.11,0u,0g,gnome-abrt', '500,python3.11,0u,0g,protonvpn', '500,python3.11,0u,0g,prowler', + '500,python3.11,u,g,pip', '500,python3.12,0u,0g,dnf', - '500,python3,500u,500g,python3', - '500,python.test,500u,500g,python.test', '500,qemu-system-x86_64,0u,0g,qemu-system-x86', '500,reporter-ureport,0u,0g,reporter-urepor', '500,rpi-imager,0u,0g,rpi-imager', @@ -313,7 +308,6 @@ WHERE '500,steamwebhelper,500u,500g,steamwebhelper', '500,step,500u,500g,step', '500,step-cli,0u,0g,step', - '500,armcord,u,g,armcord', '500,stern,500u,500g,stern', '500,syncthing,0u,0g,syncthing', '500,syncthing,u,g,syncthing', @@ -324,29 +318,30 @@ WHERE '500,terraform-ls,500u,500g,terraform-ls', '500,thunderbird,0u,0g,thunderbird', '500,thunderbird,u,g,thunderbird', + '500,thunderbird-bin,u,g,thunderbird-bin', '500,tilt,500u,500g,tilt', - '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', '500,todoist,0u,0g,todoist', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', '500,ubuntu-report,0u,0g,ubuntu-report', - '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,wget,0u,0g,wget', '500,wine64-preloader,500u,500g,DaveTheDiver.ex', '500,wine64-preloader,500u,500g,Root.exe', '500,wolfictl,500u,500g,wolfictl', - '500,WPILibInstaller,500u,500g,WPILibInstaller', '500,xmobar,0u,0g,xmobar', '500,yay,0u,0g,yay', '500,zdup,500u,500g,zdup', '500,zoom,0u,0g,zoom', '500,zoom.real,u,g,zoom.real' ) -- Exceptions where we have to be more flexible for the process name + AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf' + AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic' + AND NOT exception_key LIKE '0,python3.%,0u,0g,yum' + AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%' AND NOT exception_key LIKE '500,node,0u,0g,npm exec %' AND NOT exception_key LIKE '500,node,0u,0g,npm install %' - AND NOT exception_key LIKE '500,python3.%,0u,0g,pip' AND NOT exception_key LIKE '500,python3%,u,g,pip' - AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%' + AND NOT exception_key LIKE '500,python3.%,0u,0g,pip' AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' AND NOT ( exception_key LIKE '500,python3%,0u,0g,python%' diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 57ae740..87972fc 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -204,6 +204,7 @@ WHERE 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', + 'Developer ID Application: TechSmith Corporation (7TQL462TU8)', 'Developer ID Application: Ecamm Network, LLC (5EJH68M642)', 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', 'Developer ID Application: Farhan Ahmed (4RZN52RN5P)', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 4f9b6c6..ab040fd 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -108,6 +108,7 @@ WHERE '80,6,0,python3.11,0u,0g,dnf-automatic', '80,6,0,python3.11,0u,0g,yum', '80,6,0,python3.12,0u,0g,yum', + '80,6,500,firefox-bin,0u,0g,firefox-bin', '80,6,0,python3.9,u,g,yum', '80,6,0,sort,0u,0g,sort', '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index cdb40be..1ca1dfa 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -5,7 +5,8 @@ -- -- tags: transient state net often -- platform: macos -SELECT pos.protocol, +SELECT + pos.protocol, pos.local_port, pos.remote_port, pos.remote_address, @@ -66,7 +67,8 @@ SELECT pos.protocol, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM process_open_sockets pos +FROM + process_open_sockets pos LEFT JOIN processes p0 ON pos.pid = p0.pid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid @@ -75,7 +77,8 @@ FROM process_open_sockets pos LEFT JOIN hash p2_hash ON p2.path = p2_hash.path LEFT JOIN file f ON p0.path = f.path LEFT JOIN signature s ON p0.path = s.path -WHERE pos.protocol > 0 +WHERE + pos.protocol > 0 AND NOT ( pos.remote_port IN (53, 443) AND pos.protocol IN (6, 17) @@ -204,6 +207,7 @@ WHERE pos.protocol > 0 '500,6,22,ssh,ssh,0u,500g', '500,6,5432,psql,psql,500u,80g', '500,6,22,ssh,ssh,500u,0g', + '500,17,123,limactl,limactl,500u,80g', '500,17,123,gvproxy,gvproxy,500u,80g', '500,6,80,qemu-system-x86_64,qemu-system-x86_64,500u,80g', '500,6,22,ssh,ssh,500u,20g', @@ -300,4 +304,5 @@ WHERE pos.protocol > 0 'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon' ) ) -GROUP BY p0.cmdline +GROUP BY + p0.cmdline diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index 2c93783..5dd8aaf 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -61,13 +61,13 @@ WHERE '/usr/bin/apt', '/usr/bin/aptd', '/usr/bin/bash', - '/usr/bin/gnome-disks', '/usr/bin/bwrap', '/usr/bin/curl', '/usr/bin/darktable', '/usr/bin/dockerd', '/usr/bin/fish', '/usr/bin/git', + '/usr/bin/gnome-disks', '/usr/bin/gnome-shell', '/usr/bin/gnome-software', '/usr/bin/gnome-text-editor', @@ -127,7 +127,6 @@ WHERE AND p0.cmdline = '/usr/bin/python3 /usr/sbin/aptd' ) AND NOT p0.name IN ( - 'Cisco WebEx Start', 'GoogleUpdater', 'Install', 'baloo_file_extr', @@ -149,6 +148,7 @@ WHERE 'firefox', 'flatpak-session', 'fsdaemon', + 'git', 'go', 'goland', 'golangci-lint-v', diff --git a/detection/discovery/unexpected-pcap-user-macos.sql b/detection/discovery/unexpected-pcap-user-macos.sql index 5398c78..edc06bb 100644 --- a/detection/discovery/unexpected-pcap-user-macos.sql +++ b/detection/discovery/unexpected-pcap-user-macos.sql @@ -79,5 +79,6 @@ WHERE 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)' ) + AND NOT p0.path LIKE '/opt/homebrew/Cellar/kubernetes-cli/%/bin/kubectl' GROUP BY p0.pid diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 3ba1e51..03e13fb 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -151,6 +151,7 @@ WHERE OR top_dir IN ('~/Sync') OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' OR dir LIKE '/opt/homebrew/%/.cache/%' + OR dir LIKE '~/%enterprise-packages/.chainguard' OR dir LIKE '/private/tmp/%/.git' OR dir LIKE '/tmp/.mount_%' OR dir LIKE '/tmp/%/.git' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 4a26664..bb15619 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -250,3 +250,12 @@ WHERE AND file.type = "socket" AND file.mode = '0600' ) + -- still not sure what the hell this is + AND NOT ( + file.path LIKE '/tmp/.%3D' + AND file.size < 30000 + AND file.size > 20000 + AND file.mode = '0644' + AND uid = 501 + AND gid = 0 + ) diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index d6f39f9..b6d4d80 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -100,6 +100,7 @@ WHERE 'ThingsWidgetExtensionMacAppStore', 'at.obdev.littlesnitch.endpointsecurity', 'launchd_startx', + 'dynamiclinkmanager', 'BetterTouchToolAppleScriptRunner', 'BetterTouchToolShellScriptRunner', 'TwitterNotificationServiceExtension', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index c412808..0974cff 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -267,6 +267,7 @@ WHERE AND NOT p1.cmdline LIKE '%brew.rb%' AND NOT p1.cmdline LIKE '%/Homebrew/build.rb%' AND NOT p1.cmdline LIKE '%Code Helper%' + AND NOT p1.cmdline LIKE '%Code - Insiders Helper%' AND NOT p1.cmdline LIKE '%gcloud.py config config-helper%' AND NOT p1.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%' AND NOT p1.name LIKE '%term%' diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index f43a7a4..513d48b 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -74,76 +74,54 @@ WHERE ) ) AND NOT exception_key IN ( + "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja", + "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", 'false,,Grammarly: AI Writing and Grammar Checker App,cnlefmmeadmemmdciolhbnfeacpdfbkd', 'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop', 'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd', - 'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb', - 'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee', 'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk', - 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', 'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced', - 'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj', - 'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk', - 'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa', - 'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh', - 'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn', 'true,,Application Launcher For Drive (by Google),lmjegmlicamnimmfhcmpkclmigmmcbeh', 'true,,Apps Launcher for Chrome,hdmhnhkegdfpajaeijlfopfoallfdiak', 'true,,Awesome ChatGPT Screenshot & Screen Recorder,nlipoenfbbikpbjkfpfillcgkoblgpmj', 'true,,Awesome Screen Recorder & Screenshot,nlipoenfbbikpbjkfpfillcgkoblgpmj', - 'true,,axe DevTools - Web Accessibility Testing,lhdoppojpmngadmnindnejefpokejbdd', 'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga', 'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga', - 'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd', - 'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', 'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj', - 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb', - 'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb', 'true,,BlockSite: Block Websites & Stay Focused,eiimnmioipafcokbfikbljfdeojpcgbh', 'true,,Boomerang for Gmail,mdanidgdpmkimeiiojknlnekblgmpdll', 'true,,Browsec VPN - Free VPN for Chrome,omghfjlpggmjjaagoclmmobgdodcjboh', 'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo', - 'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh', + 'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg', 'true,,Canvas Blocker - Fingerprint Protect,nomnklagbgmgghhjidfhnoelnjfndfpd', 'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg', 'true,,Capital One Shopping: Save Now,nenlahapcbofgnanklpelkaejcehkggg', 'true,,Caret,fljalecfjciodhpcledpamjachpmelml', 'true,,Chrome Capture - Gif & Screenshot tool,ggaabchcecdbomdcnbahdfddfikjmphe', - 'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai', 'true,,Chrome RDP for Google Cloud Platform,mpbbnannobiobpnfblimoapbephgifkm', 'true,,Chrome Remote Desktop,inomeogfingihgjfjlpeplalcfajhgai', 'true,,Chrome Web Store Payments,nmmhkkegccagdldgiimedpiccmgmieda', 'true,,Cisco Umbrella Chromebook client (Ext),jcdhmojfecjfmbdpchihbeilohgnbdci', 'true,,Cisco Webex Extension,jlhmfgmfgeifomenelglieieghnjghma', 'true,,Clear Cache,cppjkneekbjaeellbfkmgnhonkkjfpdn', + 'true,,Clear cookies for one site,kajgpmmnnohnlajonknigghinhjmmehc', 'true,,ClickUp: Tasks, Screenshots, Email, Time,pliibjocnfmkagafnbkfcimonlnlpghj', 'true,,Clipboard History,cioiijhfebhhkmnijjjgbhkjjdlphjid', 'true,,Clockify Time Tracker,pmjeegjhjdlccodhacdgbgfagbpmccpe', - 'true,Clockwise Inc.,Clockwise: AI Calendar & Scheduling Assistant,hjcneejoopafkkibfbcaeoldpjjiamog', - 'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog', - 'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp', 'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac', - 'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo', + 'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp', 'true,,ColorPick Eyedropper,ohcpnigalekghcmgcdcenkpelffpdolg', 'true,,ColorZilla,bhlhnicpbhignbdhedgjhgdocnmhomnp', - 'true,compose.ai,Compose AI: AI-powered Writing Tool,ddlbpiadoechcolndfeaonajmngmhblj', - 'true,Contacts+,Contacts+ for Gmail,cnaibnehbbinoohhjafknihmlopdhhip', - 'true,CookieBlock Team,CookieBlock,fbhiolckidkciamgcobkokpelckgnnol', 'true,,Cookie Tab Viewer,fdlghnedhhdgjjfgdpgpaaiddipafhgk', 'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla', 'true,,Copper CRM for Gmail™,hpfmedbkgaakgagknibnonpkimkibkla', 'true,,Copy Me That,lgjinjcobiflbbnhenlfkcjpeeacklfl', 'true,,Coupert - Automatic Coupon Finder & Cashback,mfidniedemcgceagapgdekdbmanojomk', - 'true,,crouton integration,gcpneefbbnfalgjniomfjknbcgkbijom', - 'true,Crowdcast, Inc.,Crowdcast Screensharing,kgmadhplahebfoiijgloflhakfjlkbpb', 'true,,Crunchbase - B2B Company & Contact Info,mdfjplgeknamfodpoghbmhhlcjoacnbp', - 'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg', - "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja", + 'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo', 'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd', 'true,,DealFinder by VoucherCodes,jhgicjdnnonfaedodemjjinbgcoeiajo', - 'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo', - 'true,,[DEPRECATED] Tag Assistant Legacy,kejbdjndbnbjgmefkgdddjlbokphdefk', 'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo', 'true,,Distill Web Monitor,inlikjemeeknofckkjolnjbpehgadgge', 'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg', @@ -154,140 +132,108 @@ WHERE 'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje', 'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo', 'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep', - 'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc', - 'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe', 'true,,Extensity,jjmflmamggggndanpgfnpelongoepncg', - 'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb', 'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc', 'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo', 'true,,Fakespot Fake Amazon Reviews and eBay Sellers,nakplnnackehceedgkgkokbgbmfghain', - 'true,Federico Brigante,GitHub Issue Link Status,nbiddhncecgemgccalnoanpnenalmkic', - 'true,,feedly,hipbfijinpcgfogaopmgehiegacbhmob', 'true,,FoxyProxy Basic,dookpfaalaaappcdneeahomimbllocnb', - 'true,François Duprat,Mobile simulator - responsive testing tool,ckejmhbmlajgoklhgbapkiccekfoccmk', 'true,,Free Maps Ruler,ejpahoknghmacibohhgleeacndkglgmo', - "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", - 'true,Ghostery,Ghostery – Privacy Ad Blocker,mlomiejdfkolichcflejclcbmpeaniij', - 'true,Ghostery,Ghostery Tracker & Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij', - 'true,Ghostery,Ghostery Tracker Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij', 'true,,GHunt Companion,dpdcofblfbmmnikcbmmiakkclocadjab', - 'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno', + 'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec', 'true,,GitHub Red Alert,kmiekjkmkbhbnlempjkaombjjcfhdnfe', + 'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno', 'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij', 'true,,Go Links,gojgbkejhelijlkgpmlbbkklljgmfljj', 'true,,GoLinks,mdkgfdijbhbcbajcdlebbodoppgnmhab', + 'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch', + 'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd', 'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge', 'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi', 'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf', 'true,,Google Hangouts,nckgahadagoaajjgafhacjanaoiihapd', - 'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi', 'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki', + 'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi', 'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff', 'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci', 'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb', 'true,,Google Play Movies & TV,gdijeikdkaembjbdobgfkoidjkpbmlkd', - 'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi', - 'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch', - 'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd', 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa', 'true,,Greenhouse Recruiting Chrome extension,naooopefdfeangnkgmjpklgblnfmbaea', - 'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec', - 'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag', - 'true,homerchen19,File Icons for GitHub and GitLab,ficfmibkjjnpogdcfhfokmihanoldbfe', + 'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp', + 'true,,Hippo Video: Video and Screen Recorder,cijidiollmnkegoghpfobabpecdkeiah', 'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj', 'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj', - 'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp', - 'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn', 'true,,HubSpot Sales,oiiaigjnkhngdbnoookogelabohpglmd', 'true,,Hundred Handshakes,cmlngncglcblbobiehdpjcgbpoemidho', 'true,,IBA Opt-out (by Google),gbiekjoijknlhijdjbaadobpkdhmoebb', - 'true,,iCloud Bookmarks,fkepacicchenbjecpbpbclokcabebhah', 'true,,Instapaper,ldjkgaaoikpmhmkelcgkgacicjfbofhh', - 'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok', - 'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc', - 'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb', 'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa', 'true,,JSON Viewer Pro,eifflpmocdbdmepbjaopkkhbfmdgijcc', + 'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc', + 'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb', 'true,,Kagi Search for Chrome,cdglnehniifkbagbbombnjghhcihifij', - 'true,Kai Uwe Broulik ,Plasma Integration,cimiefiiaegbelhefglklhhakcgmhkai', - 'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki', - 'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo', - 'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd', - 'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn', 'true,,Lever Hire Extension,dgbcohbjchndmjocioegkgdniaffcaia', 'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg', 'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo', + 'true,,Loom \xE2\x80\x93 Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb', 'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb', 'true,,Loom – Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb', 'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn', 'true,,Mailvelope,kajibbejlbohfaggdiogboambcijhkke', 'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl', - 'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl', 'true,,Media Hint,akipcefbjlmpbcejgdaopmmidpnjlhnb', 'true,,Meta Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc', - 'true,Microsoft Corporation,Microsoft 365,ndjpnladcallmjemlbaebfadecfhkepb', - 'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion', + 'true,,Mettl Tests : Enable Screen Sharing,hkjemkcbndldepdbnbdnibeppofoooio', 'true,,Microsoft Single Sign On,ppnbnpeolgkicgegkbkbjmhlideopiji', - 'true,Moustachauve,Cookie-Editor,hlkenndednhfkekhgcdicdfddnkalmdm', - 'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka', 'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm', 'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk', - 'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj', 'true,,Office - Enable Copy and Paste,ifbmcpbgkhlpfcodhjhdbllhiaomkdej', + 'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj', 'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb', 'true,,OneLogin for Google Chrome,ioalpmibngobedobkmbhgmadaphocjdn', 'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall', - 'true,Opera,Cashback Assistant,ompjkhnkeoicimmaehlcmgmpghobbjoj', - 'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc', - 'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk', 'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc', 'true,,Outreach Everywhere,chmpifjjfpeodjljjadlobceoiflhdid', 'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh', 'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep', - 'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo', 'true,,PhantomBuster,mdlnjfcpdiaclglfbdkbleiamdafilil', 'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg', - 'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag', 'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami', + 'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag', 'true,,Ponyrun,ohfoafaaamjfbhmceahibpppkbnohaeg', 'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop', 'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp', 'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh', - 'true,Pushbullet,Pushbullet,chlffgpmiacpedhhbkiomidkjlcfhogd', - 'true,Quantier, LLC,Vim for Google Docs™,aphmodfjbhofkpibocbggkdfnpbpjmpp', - 'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp', - 'true,Quidco.com,Quidco Cashback Reminder,offafgdgnliocofjjiohlpjpenbogkbl', 'true,,QuillBot for Chrome,iidnbdjijdkbmajdffnidomddglmieko', - 'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi', - 'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm', + 'true,,RSS Feed Reader,pnjaodmkngahhkoihejjehlcdlnohgmp', + 'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd', 'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi', 'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm', 'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi', - 'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb', 'true,,Redux DevTools,lmhkpmbekcpmknklioeibfkpmmfibljd', 'true,,Refined GitHub,hlepfoohegkhhmjieoechaddaejaokhf', 'true,,RetailMeNot Deal Finder™️,jjfblogammkiefalfpafidabbnamoknm', - 'true,,RSS Feed Reader,pnjaodmkngahhkoihejjehlcdlnohgmp', - 'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd', 'true,,SABconnect++,okphadhbbjadcifjplhifajfacbkkbod', - 'true,,Salesforce,jjghhkepijgakdammjldcbnjehfkfmha', - 'true,,SalesLoft Connect,cffgjgigjfgjkfdopbobbdadaelbhepo', + 'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd', 'true,,SalesLoft Connect - Legacy,cffgjgigjfgjkfdopbobbdadaelbhepo', + 'true,,SalesLoft Connect,cffgjgigjfgjkfdopbobbdadaelbhepo', + 'true,,Salesforce,jjghhkepijgakdammjldcbnjehfkfmha', 'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne', 'true,,Save to Pinterest,gpdjojdkbbmdfjfahjcgigfpmkopogic', 'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj', 'true,,Scraper,poegfpiagjgnenagjphgdklmgcpjaofi', - 'true,,Screenshot Master: Full Page Capture,ggacghlcchiiejclfdajbpkbjfgjhfol', + 'true,,Screen Recorder,hniebljpgcogalllopnjokppmgbhaden', 'true,,Screenshot & Screen Video Record by Screeny,djekgpcemgcnfkjldcclcpcjhemofcib', + 'true,,Screenshot Master: Full Page Capture,ggacghlcchiiejclfdajbpkbjfgjhfol', 'true,,Scribe: AI Documentation, SOPs & Screenshots,okfkdaglfjjjfefdcppliegebpoegaii', 'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd', 'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd', 'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc', - 'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph', 'true,,Send to Kindle for Google Chrome���,cgdjpilhipecahhcilnafpblkieebhea', + 'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph', 'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko', 'true,,Set Character Encoding,bpojelgakakmcfmjfilgdlmhefphglae', 'true,,Shodan,jjalcfnidlmpjhdfepjhjbhnhkbgleap', @@ -295,28 +241,21 @@ WHERE 'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp', 'true,,Skype Calling,blakpkgjpemejpbmfiglncklihnhjkij', 'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm', - 'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd', - 'true,stefanXO,Tab Manager Plus for Chrome,cnkdjjdmfiffagllbiiilooaoofcoeff', + 'true,,Soapbox — Video Recorder,lmepjnndgdhcgphilomlfekmgnnmngbi', 'true,,Super Dark Mode,nlgphodeccebbcnkgmokeegopgpnjfkc', 'true,,Superhuman,dcgcnpooblobhncpnddnhoendgbnglpn', - 'true,Symantec Corporation,Norton Password Manager,admmjipmmciaobhojoghlmleefbicajg', - 'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi', 'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh', + 'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi', 'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk', 'true,,Tampermonkey BETA,gcalenpjmijncebpfijmoaglllgpjagf', - 'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc', 'true,,The Marvellous Suspender,noogafoofpebimajpfpamcfhoaifemoa', 'true,,The Org for LinkedIn,gnkbmaifcbniminbmbmiabamggncacag', - 'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj', 'true,,TickTick - Todo & Task List,diankknpkndanachmlckaikddgcehkod', 'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh', 'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff', - 'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil', 'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm', - 'true,Tulio Ornelas ,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh', - 'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig', - 'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn', 'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf', + 'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig', 'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng', 'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg', 'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki', @@ -324,27 +263,94 @@ WHERE 'true,,VidyoWebConnector,mmedphfiemffkinodeemalghecnicmnh', 'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke', 'true,,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb', - 'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb', 'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb', 'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd', - 'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg', 'true,,WAVE Evaluation Tool,jbbplnpkjmmeebjpijfedlgcdilocofh', - 'true,Web to Figma,Web to Figma,mafpepbepbabkenbfpcdjmmjmeeemoal', 'true,,WhatFont,jabopobgcpjmedljpbcaablpmlmfcogm', 'true,,Wikiwand: Wikipedia Modernized,emffkefkbkpkgpdeeooapgaicgmcbolj', 'true,,Windows Accounts,ppnbnpeolgkicgegkbkbjmhlideopiji', 'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb', 'true,,Wisdolia,ciknpklcipibmfbgjmdmfdfalklfdlne', 'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg', - 'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco', + 'true,,Wistia Video Downloader,acbiaofoeebeinacmcknopaikmecdehl', 'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp', - 'true,Yuri Konotopov ,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep', + 'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle', 'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg', 'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp', - 'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle', + 'true,,[DEPRECATED] Tag Assistant Legacy,kejbdjndbnbjgmefkgdddjlbokphdefk', + 'true,,axe DevTools - Web Accessibility Testing,lhdoppojpmngadmnindnejefpokejbdd', + 'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo', + 'true,,crouton integration,gcpneefbbnfalgjniomfjknbcgkbijom', + 'true,,feedly,hipbfijinpcgfogaopmgehiegacbhmob', + 'true,,iCloud Bookmarks,fkepacicchenbjecpbpbclokcabebhah', + 'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn', + 'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco', + 'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb', + 'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee', + 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', + 'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg', + 'true,AgileBits,1Password Nightly – Password Manager,gejiddohjgogedgjnonbofjigllpkmbf', 'true,AgileBits,1Password \xE2\x80\x93 Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa', - 'true,,Loom \xE2\x80\x93 Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb', - 'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp' + 'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk', + 'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa', + 'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh', + 'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn', + 'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd', + 'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', + 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb', + 'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb', + 'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh', + 'true,Clockwise Inc.,Clockwise: AI Calendar & Scheduling Assistant,hjcneejoopafkkibfbcaeoldpjjiamog', + 'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog', + 'true,Contacts+,Contacts+ for Gmail,cnaibnehbbinoohhjafknihmlopdhhip', + 'true,CookieBlock Team,CookieBlock,fbhiolckidkciamgcobkokpelckgnnol', + 'true,Crowdcast, Inc.,Crowdcast Screensharing,kgmadhplahebfoiijgloflhakfjlkbpb', + 'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc', + 'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe', + 'true,Federico Brigante,GitHub Issue Link Status,nbiddhncecgemgccalnoanpnenalmkic', + 'true,François Duprat,Mobile simulator - responsive testing tool,ckejmhbmlajgoklhgbapkiccekfoccmk', + 'true,Ghostery,Ghostery Tracker & Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij', + 'true,Ghostery,Ghostery Tracker Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij', + 'true,Ghostery,Ghostery – Privacy Ad Blocker,mlomiejdfkolichcflejclcbmpeaniij', + 'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi', + 'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag', + 'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok', + 'true,Kai Uwe Broulik ,Plasma Integration,cimiefiiaegbelhefglklhhakcgmhkai', + 'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki', + 'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo', + 'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd', + 'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn', + 'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl', + 'true,Microsoft Corporation,Microsoft 365,ndjpnladcallmjemlbaebfadecfhkepb', + 'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion', + 'true,Moustachauve,Cookie-Editor,hlkenndednhfkekhgcdicdfddnkalmdm', + 'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka', + 'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc', + 'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk', + 'true,Opera,Cashback Assistant,ompjkhnkeoicimmaehlcmgmpghobbjoj', + 'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo', + 'true,Pushbullet,Pushbullet,chlffgpmiacpedhhbkiomidkjlcfhogd', + 'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp', + 'true,Quantier, LLC,Vim for Google Docs™,aphmodfjbhofkpibocbggkdfnpbpjmpp', + 'true,Quidco.com,Quidco Cashback Reminder,offafgdgnliocofjjiohlpjpenbogkbl', + 'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi', + 'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm', + 'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb', + 'true,Symantec Corporation,Norton Password Manager,admmjipmmciaobhojoghlmleefbicajg', + 'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc', + 'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj', + 'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil', + 'true,Tulio Ornelas ,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh', + 'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb', + 'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg', + 'true,Web to Figma,Web to Figma,mafpepbepbabkenbfpcdjmmjmeeemoal', + 'true,Yuri Konotopov ,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep', + 'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai', + 'true,compose.ai,Compose AI: AI-powered Writing Tool,ddlbpiadoechcolndfeaonajmngmhblj', + 'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb', + 'true,homerchen19,File Icons for GitHub and GitLab,ficfmibkjjnpogdcfhfokmihanoldbfe', + 'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn', + 'true,stefanXO,Tab Manager Plus for Chrome,cnkdjjdmfiffagllbiiilooaoofcoeff', ) AND NOT ( exception_key IN ( diff --git a/detection/persistence/unexpected-global-lock.sql b/detection/persistence/unexpected-global-lock.sql index 976639f..e3e255a 100644 --- a/detection/persistence/unexpected-global-lock.sql +++ b/detection/persistence/unexpected-global-lock.sql @@ -51,4 +51,4 @@ WHERE '74,0,/tmp/mysql.sock.lock,regular,0600', '74,0,/tmp/mysqlx.sock.lock,regular,0600' ) - AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%-linux.lock,regular,0644' \ No newline at end of file + AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0644' diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 8b044d3..dffc30b 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -82,6 +82,7 @@ WHERE '2345,6,500,dlv,', '24678,6,500,node,', '24802,6,500,synergy-service,Developer ID Application: Symless Ltd (4HX897Y6GJ)', + '24851,6,500,HueSync,Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)', '25565,6,500,java,', '26000,6,500,node20,Developer ID Application: Node.js Foundation (HX7739G8FX)', '27036,6,500,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76)', @@ -111,7 +112,6 @@ WHERE '49152,6,0,AirPlayXPCHelper,Software Signing', '49152,6,0,launchd,Software Signing', '49152,6,0,remoted,Software Signing', - '24851,6,500,HueSync,Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)', '49152,6,0,remotepairingdeviced,Software Signing', '49152,6,500,AUHostingServiceXPC_arrow,Software Signing', '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)', @@ -150,6 +150,7 @@ WHERE '49152,6,500,telepresence,', '49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)', '49152,6,65,mDNSResponder,Software Signing', + '500,6,8883,BambuStudio,BambuStudio,500u,80g', '5000,6,500,ControlCenter,Software Signing', '5001,6,500,crane,', '5001,6,500,gvproxy,', @@ -195,6 +196,8 @@ WHERE '8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', '8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '8888,6,500,otel-desktop-viewer,', + '8933,6,500,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP)', + '8934,6,500,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP)', '9101,6,500,github_actions_exporter,', '9991,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)' ) diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 1016d5e..fd10518 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -84,6 +84,7 @@ WHERE 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755', + 'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755', @@ -255,10 +256,12 @@ WHERE 'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755', 'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755', 'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755', + 'sddm-helper,/usr/lib/x86_64-linux-gnu/sddm/sddm-helper,0,user.slice,user-1000.slice,0755', 'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755', 'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755', 'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555', 'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755', + 'smartd,/usr/sbin/smartd,0,system.slice,smartmontools.service,0755', 'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', 'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', 'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755', @@ -327,17 +330,13 @@ WHERE 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555', 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555' ) - AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755' + AND NOT exception_key LIKE '%beat,%/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,%' + AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,%' + AND NOT exception_key LIKE 'elastic-agent,%/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,%' AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755' - AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,0750' - AND NOT exception_key LIKE 'elastic-agent,/var/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,0750' - AND NOT exception_key LIKE 'elastic-agent,/var/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,0770' - AND NOT exception_key LIKE '%beat,/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750' - AND NOT exception_key LIKE '%beat,/var/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750' + AND NOT exception_key LIKE 'incusd,%/bin/incusd,0,lxc.monitor.%,,0755' AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750' AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750' - AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent-%/elastic-agent,0,system.slice,elastic-agent.service,0770' - AND NOT exception_key LIKE 'incusd,%/bin/incusd,0,lxc.monitor.%,,0755' AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash') AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' GROUP BY