RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-10 07:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #145 from tstromberg/fp4

Browse Source 
Make unexpected-chrome-extensions easier to maintain, address false-positives
This commit is contained in:
Thomas Strömberg 2023-01-26 20:41:47 -05:00 committed by GitHub
commit 508f254896
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 354 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
detection/c2/unexpected-https-client-linux.sql
View File

@ -70,6 +70,7 @@ WHERE
'0,/usr/applydeltarpm,0u,0g,applydeltarpm',
'0,/usr/bash,0u,0g,bash',
'0,/usr/bash,0u,0g,mkinitcpio',
'0,/usr/chainctl,0u,0g,chainctl',
'0,/usr/cmake,u,g,cmake',
'0,/usr/containerd,u,g,containerd',
'0,/usr/dirmngr,0u,0g,dirmngr',
@ -94,6 +95,7 @@ WHERE
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'105,/usr/http,0u,0g,https',
'106,/usr/geoclue,0u,0g,geoclue',
'500,/app/Discord,u,g,Discord',
'500,/app/signal-desktop,u,g,signal-desktop',
'500,/app/slack,u,g,slack',
'500,/app/spotify,u,g,spotify',
@ -150,6 +152,7 @@ WHERE
'500,/opt/zoom,0u,0g,zoom',
'500,/sbin/apk,500u,500g,apk',
'500,/sbin/apk,u,g,apk',
'500,/tmp/istioctl,500u,500g,istioctl',
'500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
'500,/tmp/obsidian,u,g,obsidian',
'500,/tmp/terraform,500u,500g,terraform',
@ -199,9 +202,11 @@ WHERE
'500,/usr/kbfsfuse,0u,0g,kbfsfuse',
'500,/usr/keybase,0u,0g,keybase',
'500,/usr/ko,u,g,ko',
'500,/usr/kubectl,0u,0g,kubectl',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/lens,0u,0g,lens',
'500,/usr/melange,u,g,melange',
'500,/usr/minikube,0u,0g,minikube',
'500,/usr/nautilus,0u,0g,nautilus',
'500,/usr/nix,0u,0g,nix',
'500,/usr/node,0u,0g,node',
@ -216,16 +221,13 @@ WHERE
'500,/usr/python3.10,0u,0g,python3',
'500,/usr/python3.11,0u,0g,gnome-abrt',
'500,/usr/python3.11,0u,0g,prowler',
'500,/usr/kubectl,0u,0g,kubectl',
'500,/usr/reporter-ureport,0u,0g,reporter-urepor',
'500,/usr/rpi-imager,0u,0g,rpi-imager',
'500,/usr/signal-desktop,0u,0g,signal-desktop',
'500,/usr/signal-desktop,u,g,signal-desktop',
'500,/usr/minikube,0u,0g,minikube',
'500,/usr/slack,0u,0g,slack',
'500,/usr/spotify,0u,0g,spotify',
'500,/usr/step,500u,500g,step',
'500,/tmp/istioctl,500u,500g,istioctl',
'500,/usr/step-cli,0u,0g,step',
'500,/usr/syncthing,0u,0g,syncthing',
'500,/usr/teams,0u,0g,teams',

2
detection/c2/unexpected-talkers-macos.sql
View File

@ -140,6 +140,7 @@ WHERE
'22,6,500,ssh,com.apple.openssh,Software Signing',
'22,6,500,ssh,com.apple.ssh,Software Signing',
'22,6,500,ssh,ssh,',
'443,6,500,jx,,',
'22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
'30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@ -294,6 +295,7 @@ WHERE
-- Github actions-runner
AND NOT exception_key LIKE '443,6,500,Runner.Worker,apphost-%'
AND NOT exception_key LIKE '443,6,500,Runner.Listener,apphost-%'
AND NOT exception_key LIKE '443,6,500,gh-dash,gh-dash-%,'
--
-- nix-shell infects children with open connections
AND NOT (

1
detection/collection/high-disk-bytes-written.sql
View File

@ -133,6 +133,7 @@ WHERE
'qemu-system-aarch64',
'qemu-system-x86_64',
'slack',
'spotify',
'snyk',
'steam',
'syft',

1
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -187,6 +187,7 @@ WHERE
'/dev/mapper/control,gpartedbin',
'/dev/zfs,zed',
'/dev/zfs,zfs',
'/dev/fb,Xorg',
'/dev/zfs,',
'/dev/zfs,zpool'
)

5
detection/discovery/unexpected-netutil-calls-macos.sql
View File

@ -83,7 +83,10 @@ WHERE
'zsh'
)
)
AND NOT exception_key IN ('netstat,500,IPNExtension,launchd')
AND NOT exception_key IN (
'netstat,500,IPNExtension,launchd',
'pfctl,0,pia-daemon,launchd'
)
AND p1_cmd NOT IN ('/bin/sh /etc/periodic/daily/420.status-network')
GROUP BY
pe.pid

3
detection/evasion/empty_root_environ_linux.sql
View File

@ -38,8 +38,10 @@ WHERE
'dhcpcd',
'modprobe',
'dnf',
'gdm-x-session',
'systemd-udevd',
'gdm-session-wor',
'systemd-userwor',
'fprintd',
'systemd',
'gpg-agent',
@ -51,6 +53,7 @@ WHERE
'sedispatch',
'zypak-sandbox'
)
AND NOT pp.name IN ('systemd-userdbd')
AND NOT (
p.name LIKE 'systemd-%'
AND p.parent = 1

3
detection/evasion/hidden-cwd.sql
View File

@ -66,6 +66,7 @@ WHERE
'Electron,~/.vscode/extensions',
'fish,~/.local/share',
'fish,~/.Trash',
'cc1,/home/build/.cache',
'git,~/.local/share',
'java,~/.gradle/daemon',
'java,~/.local/share',
@ -131,3 +132,5 @@ WHERE
AND p.euid = 0
)
)
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'

3
detection/evasion/unexpected-ld-so-files-linux.sql
View File

@ -28,6 +28,9 @@ WHERE
)
AND file.filename NOT IN ('.', '..')
AND exception_key NOT IN (
'/etc/ld.so.conf.d/gds-11-8.conf,0644,46,2b48cb0abd03ff1d8926eca02a71540f4ee00ebccad5515e4d28a542dae8438a',
'/etc/ld.so.conf.d/989_cuda-11.conf,0644,44,915b1ed4caa95cf65a62a74d8255c5ef80ef864cc2767933c85e240a78957167',
'/etc/ld.so.conf.d/000_cuda.conf,0644,41,a9327cff9435220eac872cffedc7f6144d915bdcb70d985304c72f4c3cb9a7d3',
'/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5',
'/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f',
'/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8',

42
detection/evasion/unexpected-tmp-executables-linux.sql
View File

@ -4,7 +4,7 @@
-- * developers building code out of /tmp
--
-- tags: persistent
-- platform: posix
-- platform: linux
SELECT
file.path,
uid,
@ -42,31 +42,32 @@ WHERE
uid > 500
AND (
file.path LIKE '%/go-build%'
OR file.path LIKE '/tmp/checkout/%'
OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
OR file.path LIKE '/tmp/%/site-packages/markupsafe/_speedups.cpython-%'
OR file.path LIKE '/tmp/go.%.sum'
OR file.path LIKE '/tmp/guile-%/guile-%'
OR file.path LIKE '/tmp/src/%'
OR file.path LIKE '/tmp/%/src/%'
OR file.path LIKE '/tmp/%/git/%'
OR file.path LIKE '/tmp/%/ci/%'
OR file.path LIKE '/tmp/kots/%'
OR file.directory LIKE '/tmp/%/out'
OR file.path LIKE '%/bin/%-gen'
OR file.path LIKE '%/ko/%'
OR file.path LIKE '%/pdf-tools/%'
OR file.path LIKE '/tmp/bin/%'
OR file.path LIKE '/tmp/%/target/%'
OR file.path LIKE '/tmp/%/bin/busybox'
OR file.path LIKE '/tmp/checkout/%'
OR file.path LIKE '/tmp/%/ci/%'
OR file.path LIKE '/tmp/%/debug/%'
OR file.path LIKE '/tmp/%/dist/%'
OR file.path LIKE '%/tmp/epdf%'
OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
OR file.path LIKE '/tmp/%/git/%'
OR file.path LIKE '/tmp/%/github/%'
OR file.path LIKE '/tmp/go.%.sum'
OR file.path LIKE "/tmp/%/gradlew"
OR file.path LIKE '/tmp/guile-%/guile-%'
OR file.path LIKE '/tmp/kots/%'
OR file.path LIKE '/tmp/%/site-packages/markupsafe/_speedups.cpython-%'
OR file.path LIKE '/tmp/%/src/%'
OR file.path LIKE '/tmp/src/%'
OR file.path LIKE '/tmp/%/target/%'
OR file.path LIKE '/tmp/%/target/debug/build/%'
OR file.path LIKE '/tmp/terraformer/%'
OR file.path LIKE '/tmp/tmp.%'
OR file.path LIKE '/tmp/%/dist/%'
OR file.path LIKE '%/bin/%-gen'
OR file.path LIKE '/tmp/%/target/debug/build/%'
OR file.path LIKE '%/ko/%'
OR file.directory LIKE '/tmp/%/out'
OR file.path LIKE '%/pdf-tools/%'
OR file.path LIKE '%/tmp/epdf%'
OR file.path LIKE "/tmp/%/gradlew"
OR file.path LIKE '/tmp/%/venv/bin/%'
OR -- These regular expressions can be narrowed down
(
file.size < 50000
@ -78,6 +79,7 @@ WHERE
'java',
'js',
'json',
'pem',
'nib',
'log',
'strings',

8
detection/evasion/unexpected-tmp-executables-macos.sql
View File

@ -114,7 +114,8 @@ WHERE
AND (strftime('%s', 'now') - ctime) < 30
) -- macOS updates
AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here.
AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform
AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS'
-- terraform
AND NOT (
uid > 500
AND file.path LIKE '/tmp/terraform_%/terraform'
@ -135,9 +136,10 @@ WHERE
AND NOT (
magic.data IS NOT NULL
AND (
magic.data = 'JSON data'
magic.data IN ('JSON data', 'ASCII text')
OR magic.data LIKE 'ELF %-bit %SB executable%'
OR magic.data LIKE 'symbolic link to ld%.so.%'
OR magic.data LIKE 'symbolic link to l%.so.%'
OR magic.data LIKE 'ELF %-bit LSB shared object%'
OR magic.data LIKE 'libtool library file,%'
)
)

4
detection/execution/exotic-command-events-linux.sql
View File

@ -16,7 +16,6 @@ SELECT
TRIM(pe.cmdline) AS p0_cmd,
pe.pid AS p0_pid,
p.cgroup_path AS p0_cgroup,
IIF(p.pid IS NOT NULL, 1, 0) AS p0_active,
-- Parent
pe.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
@ -24,7 +23,6 @@ SELECT
COALESCE(p1.path, pe1.path) AS p1_path,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
IIF(p1.pid IS NOT NULL, 1, 0) AS p1_active,
-- Grandparent
COALESCE(p1.parent, pe1.parent) AS p2_pid,
COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
@ -32,7 +30,6 @@ SELECT
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name,
IIF(COALESCE(p1_p2.pid, pe1_p2.pid) IS NOT NULL, 1, 0) AS p2_active,
-- Exception key
REGEX_MATCH (pe.path, '.*/(.*)', 1) || ',' || MIN(pe.euid, 500) || ',' || REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) || ',' || REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS exception_key
FROM
@ -89,7 +86,6 @@ WHERE
OR p0_name LIKE '%attack%'
-- Unusual behaviors
OR p0_cmd LIKE '%ufw disable%'
OR p0_cmd LIKE '%powershell%'
OR p0_cmd LIKE '%iptables -P % ACCEPT%'
OR p0_cmd LIKE '%iptables -F%'
OR p0_cmd LIKE '%chattr -ia%'

2
detection/execution/exotic-command-events-macos.sql
View File

@ -164,6 +164,8 @@ WHERE
AND NOT p0_cmd LIKE '/bin/rm -f /tmp/periodic.%'
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/_updatedb%'
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
AND NOT p0_cmd LIKE '%launchctl load -w /Library/LaunchAgents/com.opalcamera.vcam.assistant.plist'
AND NOT p0_cmd LIKE '%launchctl load -w /Library/LaunchAgents/com.opalcamera.OpalCamera.startOnUsbPlugged.agent.plist'
AND NOT p0_cmd LIKE 'rm -f /tmp/insttmp_%'
AND NOT p0_cmd LIKE '/bin/cp %history%sessions/%'
AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%'

3
detection/execution/exotic-commands.sql
View File

@ -117,3 +117,6 @@ WHERE
cmd LIKE '%tail -f /dev/null%'
AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
)
AND NOT cmd IN (
'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0'
)

2
detection/execution/recently-created-executables-linux.sql
View File

@ -50,8 +50,10 @@ WHERE
'/opt/Lens/chrome_crashpad_handler',
'/opt/Lens/lens',
'/opt/sublime_text/sublime_text',
'/usr/lib/systemd/systemd-machined',
'/usr/bin/alacritty',
'/usr/bin/bash',
'/usr/bin/rpmbuild',
'/usr/bin/cargo',
'/usr/bin/containerd',
'/usr/bin/containerd-shim-runc-v2',

63
detection/execution/relative-exec-low-uid-events.sql
View File

@ -7,30 +7,45 @@
-- interval: 300
-- tags: process events
SELECT
pe.pid,
pe.path,
pe.mode,
pe.cwd,
pe.euid,
pe.parent,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmd,
pp.euid AS parent_euid,
phash.sha256 AS parent_sha256,
gp.cmdline AS gparent_cmd,
hash.sha256 AS sha256,
p.cgroup_path AS cgroup,
pp.cgroup_path AS parent_cgroup,
gp.cgroup_path AS gparent_cgroup
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,
pe.pid AS p0_pid,
p.cgroup_path AS p0_cgroup,
-- Parent
pe.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
COALESCE(p1.path, pe1.path) AS p1_path,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
-- Grandparent
COALESCE(p1.parent, pe1.parent) AS p2_pid,
COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name
FROM
process_events pe
LEFT JOIN processes p ON pe.pid = pe.pid
LEFT JOIN processes pp ON pe.parent = p.pid
LEFT JOIN processes gp ON pp.parent = gp.pid
LEFT JOIN hash ON pe.path = hash.path
LEFT JOIN hash phash ON pp.path = hash.path
process_events pe,
uptime
LEFT JOIN processes p ON pe.pid = p.pid
-- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
-- Grandparents (via 3 paths)
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
WHERE
pe.euid < 500
pe.time > (strftime('%s', 'now') -300)
AND pe.cmdline != ''
AND pe.euid < 500
AND pe.cmdline LIKE './%'
AND pe.time > (strftime('%s', 'now') -300)

69
detection/execution/sketchy-fetcher-events.sql
View File

@ -8,38 +8,64 @@
-- tags: transient process events
-- platform: posix
SELECT
pe.pid,
pe.cmdline,
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,
pe.pid AS p0_pid,
p.cgroup_path AS p0_cgroup,
IIF(p.pid IS NOT NULL, 1, 0) AS p0_active,
-- Parent
pe.parent AS p1_pid,
p1.cgroup_path AS p1_cgroup,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
COALESCE(p1.path, pe1.path) AS p1_path,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
REGEX_MATCH(COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
IIF(p1.pid IS NOT NULL, 1, 0) AS p1_active,
-- Grandparent
COALESCE(p1.parent, pe1.parent) AS p2_pid,
COALESCE(p1_p2.cgroup_path, pe1_p2.cgroup_path) AS p2_cgroup,
TRIM(COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)) AS p2_cmd,
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
COALESCE(p1_p2_hash.path, pe1_p2_hash.path, pe1_pe2_hash.path) AS p2_hash,
REGEX_MATCH(COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path), '.*/(.*)', 1) AS p2_name,
IIF(COALESCE(p1_p2.pid, pe1_p2.pid) IS NOT NULL, 1, 0) AS p2_active,
-- Extra fields
REGEX_MATCH (pe.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
REGEX_MATCH (pe.cmdline, '[ /](\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS port,
REGEX_MATCH (pe.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
pe.cwd,
pe.euid,
pe.parent,
pp.parent AS gparent,
p.cgroup_path,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
gp.cmdline AS gparent_cmdline,
gp.name AS gparent_name,
pp.euid AS parent_euid,
hash.sha256 AS parent_sha256
REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld
FROM
process_events pe
process_events pe,
uptime
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN processes gp ON pp.parent = gp.pid
LEFT JOIN hash ON pp.path = hash.path
-- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.cmdline != ''
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
-- Grandparents (via 3 paths)
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid -- Current grandparent via parent processes
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid -- Current grandparent via parent events
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
-- Extra fields
WHERE
pe.time > (strftime('%s', 'now') -60)
AND pe.cmdline != ''
-- NOTE: Sync remaining portion with sketchy-fetchers
AND (
INSTR(pe.cmdline, 'wget ') > 0
OR INSTR(pe.cmdline, 'curl ') > 0
)
-- Sketchy fetcher events always seem to contain a switch
AND pe.cmdline LIKE '%-%'
AND pe.cmdline LIKE '%/%'
AND (
-- If it's an IP or port, it's suspicious
ip NOT IN ('', '127.0.0.1', '0.0.0.0', '::1')
@ -98,7 +124,6 @@ WHERE
)
)
-- Exceptions for all calls
AND pp.name NOT IN ('makepkg', 'apko') -- Exceptions for non-privileged calls
AND NOT (
pe.euid > 500
AND (
@ -124,8 +149,8 @@ WHERE
OR pe.cmdline LIKE '%.well-known/openid-configuration%'
OR pe.cmdline LIKE 'wget --no-check-certificate https://github.com/%'
OR pe.cmdline LIKE 'curl -sL wttr.in%'
OR parent_cmdline LIKE '%brew.rb%'
OR parent_cmdline LIKE '%brew.sh%'
OR p1_cmd LIKE '%brew.rb%'
OR p1_cmd LIKE '%brew.sh%'
)
)
AND NOT (

3
detection/execution/sketchy-fetcher.sql
View File

@ -39,6 +39,9 @@ WHERE
INSTR(p.cmdline, 'wget ') > 0
OR INSTR(p.cmdline, 'curl ') > 0
)
-- Sketchy fetcher events always seem to contain a switch
AND p.cmdline LIKE '%-%'
AND p.cmdline LIKE '%/%'
AND (
ip NOT IN ('', '127.0.0.1', '::1')
OR port != ''

1
detection/execution/unexpected-fetcher-parents.sql
View File

@ -46,6 +46,7 @@ WHERE
'curl,500,bash,fakeroot',
'curl,500,bash,nix-daemon',
'curl,500,bash,ShellLauncher',
'curl,500,Slack,launchd',
'curl,500,bash,zsh',
'curl,500,env,env',
'curl,500,fish,gnome-terminal-',

2
detection/execution/unexpected-osascript-calls.sql
View File

@ -82,12 +82,14 @@ WHERE
OR p0_cmd LIKE '/usr/bin/osascript /Applications/Amazon Photos.app/Contents/Resources/quit_and_restart_app.scpt /Applications/Amazon Photos.app com.amazon.clouddrive.mac%'
OR p1_cmd LIKE '%/bin/gcloud auth%login'
OR p1_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth%login'
OR p1_cmd LIKE '%aws configure sso'
OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
OR p1_name IN ('yubikey-agent')
OR (
p1_authority = 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM)'
AND p0_cmd = 'osascript -ss'
)
)
)
-- The following apply to all uids

1
detection/execution/unexpected-sysutils-macos.sql
View File

@ -59,6 +59,7 @@ FROM
WHERE
pe.time > (strftime('%s', 'now') -900)
AND pe.status = 0
AND pe.parent > 0
AND pe.cmdline != ''
AND pe.cmdline IS NOT NULL
AND pe.status == 0

1
detection/initial_access/unexpected-diskimage-name-macos.sql
View File

@ -37,6 +37,7 @@ WHERE
AND (
file.filename LIKE 'Installer.%'
OR file.filename LIKE '%Player.%'
OR file.filename LIKE '% AIR %'
OR file.filename LIKE '%Flash%'
OR file.filename LIKE '%Resume%'
)

29
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -70,8 +70,10 @@ WHERE
'Code Helper (Renderer)',
'Code - Insiders Helper (Renderer)',
'collect2',
'com.docker.backend',
'conmon',
'containerd-shim',
'cpptools',
'dash',
'demoit',
'direnv',
@ -83,12 +85,17 @@ WHERE
'find',
'FinderSyncExtension',
'fish',
'gatherheaderdoc',
'gdm-session-worker',
'gdm-x-session',
'git',
'gke-gcloud-auth-plugin',
'gnome-terminal-server',
'go',
'goland',
'gopls',
'helm',
'HP Diagnose & Fix',
'i3bar',
'i3blocks',
'java',
@ -105,14 +112,15 @@ WHERE
'nix',
'nix-build',
'nix-daemon',
'nm-dispatcher',
'node',
'nvim',
'package_script_service',
'perl',
'PK-Backend',
'pulumi',
-- 'python' - do not include this, or you won't detect supply-chain attacks.
'roxterm',
'HP Diagnose & Fix',
'sdk',
'sdzoomplugin',
'sh',
@ -120,6 +128,7 @@ WHERE
'skhd',
'snyk',
'sshd',
'Stream Deck',
'sudo',
'swift',
'systemd',
@ -131,11 +140,13 @@ WHERE
'update-notifier',
'vi',
'vim',
'Vim',
'watch',
'wezterm-gui',
'xargs',
'xcrun',
'xfce4-terminal',
'yay',
'yum',
'zellij',
'zsh'
@ -148,12 +159,24 @@ WHERE
OR p0_cmd IN (
'sh -c /bin/stty size 2>/dev/null',
'sh -c python3.7 --version 2>&1',
'/bin/sh -c lsb_release -a --short',
'/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
"sh -c osascript -e 'user locale of (get system info)'",
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
)
OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%'
OR exception_key IN ('bash,0,pia-daemon,launchd')
OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'
OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'
OR p0_cmd LIKE '/bin/bash /opt/homebrew/%'
OR p0_cmd LIKE '/bin/sh -c pkg-config %'
OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'
OR p0_cmd LIKE '%/google-chrome --flag-switches-begin --flag-switches-end --product-version'
OR p0_cmd LIKE '%/google-chrome --restart --flag-switches-begin --flag-switches-end --product-version'
OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-open %'
OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings set %'
OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings check %'
OR p0_cmd LIKE '%gcloud config config-helper --format=json'
OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'
OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'
OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'
)

1
detection/initial_access/unexpected-shell-parents.sql
View File

@ -94,6 +94,7 @@ WHERE
'sdzoomplugin',
'sh',
'ssh',
'GoogleSoftwareUpdateAgent',
'skhd',
'sshd',
'swift',

40
detection/initial_access/unexpected-volume-contents.sql
View File

@ -45,8 +45,7 @@ WHERE
'command',
'lnk',
'mpkg',
-- Enable later once we know this query works well
-- 'pkg',
'pkg',
'scpt',
'dmg',
'iso',
@ -69,26 +68,27 @@ WHERE
OR basename LIKE 'cg%'
) -- exceptions go here
AND basename NOT IN (
'..',
'.',
'.background',
'.disk_label_2x',
'.disk_label',
'.DS_Store',
'.iotest',
'.file-revisions-by-id',
'.file',
'.metadata_never_index_unless_rootfs',
'.shortcut-targets-by-id',
'.TemporaryItems',
'.Trashes',
'._Id.txt',
'._AUTORUN.INF',
'.vol',
'.apdisk',
'._.Trashes',
'._.TemporaryItems',
'..',
'._.apdisk',
'.apdisk',
'._AUTORUN.INF',
'.background',
'.disk_label',
'.disk_label_2x',
'.DS_Store',
'.file',
'.file-revisions-by-id',
'._Id.txt',
'.iotest',
'.metadata_never_index_unless_rootfs',
'Seagate Dashboard Installer.exe',
'.shortcut-targets-by-id',
'._.TemporaryItems',
'.TemporaryItems',
'._.Trashes',
'.Trashes',
'.vol',
'.VolumeIcon.icns'
)
AND authority NOT IN (

5
detection/initial_access/unexpected-volume-names.sql
View File

@ -19,8 +19,11 @@ AND vol_name NOT LIKE '%backup%'
AND vol_name NOT IN (
'Slack',
'Docker',
'Figma Agent Installer',
'WhatsApp Installer',
'Snagit',
'Bartender 4'
)
AND vol_name NOT LIKE 'Signal %-universal'
AND vol_name NOT LIKE 'Gephi %'
AND vol_name NOT LIKE 'Gephi %'
AND mounts.path NOT LIKE '/private/tmp/KSInstallAction.%'

1
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -46,6 +46,7 @@ WHERE
AND (
exception_key IN (
'abrtd.service,ABRT Automated Bug Reporting Tool,,400',
'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,400',
'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,200',
'abrt-oops.service,ABRT kernel log watcher,,200',
'abrt-xorg.service,ABRT Xorg log watcher,,200',

305
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -26,9 +26,7 @@ SELECT
',',
name,
',',
identifier,
',',
TRIM(CAST(permissions AS text))
identifier
) AS exception_key,
hash.sha256
FROM
@ -38,6 +36,7 @@ FROM
LEFT JOIN hash ON chrome_extensions.path = hash.path
WHERE
(
-- These extensions need the most review.
from_webstore != 'true'
OR perms LIKE '%google.com%'
OR perms LIKE '%chainguard%'
@ -50,164 +49,148 @@ WHERE
)
AND enabled = 1
AND exception_key NOT IN (
'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,,background', -- TODO: Move to local exceptions list once osqtool supports them
'false,,base64 encode or decode selected text,,contextMenus',
'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip,', -- Deprecated Google Extension
'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi,', -- Deprecated Google Extension
'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk,', -- Deprecated Google Extension
'false,,Google Drive,aghbiahbpaijignceidepookljebhfak,', -- Deprecated Google Extension
'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg,', -- Deprecated Google Extension
'false,julienv3@gmail.com,treasure-clicker,,',
'false,juverm@chainguard.dev,auto-close-gitsign,,',
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, storage, webRequestBlocking',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, webRequestBlocking',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, tabs, downloads, nativeMessaging, webRequest, webNavigation, storage, scripting, alarms, declarativeNetRequest',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, alarms, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, <all_urls>',
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
'true,,Application Launcher For Drive (by Google),lmjegmlicamnimmfhcmpkclmigmmcbeh,nativeMessaging, https://docs.google.com/*, https://drive.google.com/*',
'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga,activeTab, alarms, bookmarks, contextMenus, history, notifications, scripting, storage, tabs, tts, unlimitedStorage, webNavigation',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,activeTab, alarms, bookmarks, contextMenus, history, notifications, scripting, storage, tabs, tts, unlimitedStorage, webNavigation',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,<all_urls>, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',
'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage',
'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh,activeTab, alarms, browsingData, contextMenus, cookies, notifications, storage, tabs, <all_urls>',
'true,,Canvas Blocker - Fingerprint Protect,nomnklagbgmgghhjidfhnoelnjfndfpd,*://*/*, notifications, storage, webNavigation, contextMenus',
'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,alarms, tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
'true,,Caret,fljalecfjciodhpcledpamjachpmelml,clipboardRead, clipboardWrite, contextMenus, storage, notifications, syncFileSystem, app.window.fullscreen.overrideEsc,',
'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai,https://dl.google.com/dl/edgedl/chromeos/recovery/recovery2.json, https://dl.google.com/dl/edgedl/chromeos/recovery/cloudready_recovery2.json, https://www.google-analytics.com/, chromeosInfoPrivate, feedbackPrivate, fileSystem, imageWriterPrivate, metricsPrivate, storage',
'true,,Chrome RDP for Google Cloud Platform,mpbbnannobiobpnfblimoapbephgifkm,clipboardRead, clipboardWrite, unlimitedStorage, storage, notifications, overrideEscFullscreen,',
'true,,Chrome Remote Desktop,inomeogfingihgjfjlpeplalcfajhgai,clipboardRead, clipboardWrite, nativeMessaging, downloads, downloads.open',
'true,,Chrome Web Store Payments,nmmhkkegccagdldgiimedpiccmgmieda,identity, webview, https://www.google.com/, https://www.googleapis.com/*, https://payments.google.com/payments/v4/js/integrator.js, https://sandbox.google.com/payments/v4/js/integrator.js',
'true,,Clear Cache,cppjkneekbjaeellbfkmgnhonkkjfpdn,browsingData, cookies, <all_urls>',
'true,,ClickUp: Tasks, Screenshots, Email, Time,pliibjocnfmkagafnbkfcimonlnlpghj,alarms, identity, storage, unlimitedStorage, tabs, activeTab, notifications, contextMenus, downloads, <all_urls>, http://*/*, https://*/*',
'true,,Clockify Time Tracker,pmjeegjhjdlccodhacdgbgfagbpmccpe,background, contextMenus, storage, tabs, activeTab, identity, idle, notifications, scripting, alarms',
'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog,activeTab, https://calendar.google.com/calendar/*',
'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp,clipboardRead, clipboardWrite',
'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac,clipboardWrite, contextMenus, notifications, file://*, <all_urls>',
'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo,identity, , webview, , unlimitedStorage, storage, clipboardRead, clipboardWrite,',
'true,,ColorPick Eyedropper,ohcpnigalekghcmgcdcenkpelffpdolg,activeTab, tabs, <all_urls>, storage, alarms',
'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,declarativeNetRequest, scripting, storage, tabs, webRequest, notifications',
'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,https://app.copper.com/, *://*.googleusercontent.com/proxy/*, *://calendar.google.com/*, *://mail.google.com/*, notifications, storage, tabs, webRequest, webRequestBlocking',
'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,https://app.copper.com/, webRequest, webRequestBlocking, *://mail.google.com/*, tabs, storage, notifications, *://calendar.google.com/*',
'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg,storage, activeTab, <all_urls>, contextMenus, clipboardWrite',
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja,tabs, storage, http://*/*, https://*/*, notifications, webRequest, webRequestBlocking, webNavigation",
'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd,tabs, cookies, scripting, storage',
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo,clipboardRead, clipboardWrite, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg,contextMenus, webRequest, webRequestBlocking, *://*/*, webNavigation, activeTab, tabs, storage, <all_urls>, alarms',
'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg,tabs, <all_urls>, cookies, contextMenus, notifications, clipboardWrite, webRequest, webRequestBlocking',
'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg,cookies, idle, nativeMessaging, storage, *://*.google.com/*, download, enterprise.reportingPrivate, browsingData, enterprise.deviceAttributes, enterprise.platformKeys, gcm, identity, identity.email, platformKeys',
'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje,activeTab, tabs, storage, cookies, webRequest, webRequestBlocking, https://*.capitalone.com/*, http://*.capitalone.com/*',
'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo,serial, audioCapture, videoCapture, , storage, http://*/, https://*/',
'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep,https://www.google.com/calendar/*, https://calendar.google.com/*, storage',
'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe,cookies, nativeMessaging, privacy, storage, webRequest, webRequestBlocking, tabs, unlimitedStorage, notifications, <all_urls>',
'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb,<all_urls>, contextMenus, notifications, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking',
'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc,tabs, webNavigation, webRequest, webRequestBlocking, storage, identity, *://*/*, clipboardWrite',
'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge,webNavigation, <all_urls>',
'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi,alarms, storage, unlimitedStorage, https://docs.google.com/*, https://drive.google.com/*',
'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf,clipboardRead, clipboardWrite, notifications',
'true,,Google Hangouts,nckgahadagoaajjgafhacjanaoiihapd,alarms, background, cookies, idle, notifications, storage, system.display, tabs, *://*.google.com/*',
'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi,activeTab, identity, identity.email, contextMenus, file://*/*, http://*/, https://*/, storage, tabs, unlimitedStorage',
'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi,activeTab, identity, identity.email, contextMenus, storage, tabs, unlimitedStorage, scripting',
'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki,fileSystem, identity, identity.email, storage, unlimitedStorage, https://*.googleapis.com/, https://keep.google.com/media/, https://*.googleusercontent.com/, https://*.client-channel.google.com/client-channel, https://clients4.google.com/client-channel/client, https://www.google-analytics.com/, https://www.google.com/, https://play.google.com/log, geolocation, management, notifications',
'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff,alarms, tabs, webNavigation, *://*.google.com/',
'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci,storage, debugger, webRequest, webRequestBlocking, tabs, http://*/, https://*/',
'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb,clipboardWrite, unlimitedStorage',
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen,http://*/*, https://*/*, tabs, notifications, cookies, storage',
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen,scripting, tabs, notifications, cookies, storage',
'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec,nativeMessaging, tabs, contextMenus',
'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag,tabs',
'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp,webNavigation, webRequest, webRequestBlocking, tabs, cookies, storage, *://*/*, ftp://*/*',
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn,storage, unlimitedStorage, clipboardWrite, http://localhost:8545/, https://*.infura.io/, https://chainid.network/chains.json, https://lattice.gridplus.io/*, activeTab, webRequest, *://*.eth/, notifications',
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok,downloads, contextMenus, storage, tabs, unlimitedStorage, webNavigation',
'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb,https://calendar.google.com/*',
'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa,*://*/*, <all_urls>',
'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki,storage, *://*.github.com/*',
'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo,storage, cookies, contextMenus, *://*.keepa.com/*, *://*.amazon.com/*, *://*.amzn.com/*, *://*.amazon.co.uk/*, *://*.amazon.de/*, *://*.amazon.fr/*, *://*.amazon.it/*, *://*.amazon.ca/*, *://*.amazon.com.mx/*, *://*.amazon.es/*, *://*.amazon.co.jp/*, *://*.amazon.in/*, *://*.amazon.com.br/*, *://*.amazon.nl/*, *://*.amazon.com.au/*',
'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd,tabs, idle, notifications, contextMenus, unlimitedStorage, webRequest, webNavigation, webRequestBlocking, http://*/*, https://*/*, chrome://favicon/*',
'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn,storage, tabs, cookies',
'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo,<all_urls>, tabs, webNavigation, webRequest',
'true,,Loom Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,<all_urls>, tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
'true,,Loom Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
'true,,Loom Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,<all_urls>, tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl,storage, clipboardWrite, <all_urls>',
'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl,<all_urls>, notifications, contextMenus, desktopCapture',
'true,,Meta Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc,storage, tabs, activeTab, webRequest, unlimitedStorage, webNavigation',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, scripting, alarms, webRequest, declarativeNetRequest, declarativeNetRequestFeedback, downloads, notifications',
'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk,activeTab, storage, cookies',
'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj,clipboardRead, clipboardWrite, cookies, downloads, *://*.google.com/*, fileSystem, fileSystem.write, https://www.google-analytics.com/, https://www.googleapis.com/, identity, identity.email, metricsPrivate, storage, unlimitedStorage',
'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb,tabs, cookies, https://*/, http://*/, storage, unlimitedStorage, webRequest, webRequestBlocking, webNavigation',
'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall,chrome://favicon/, unlimitedStorage, storage, tabs, contextMenus, activeTab',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk,boosterPrivate, cashbackPrivate, browserSidebarPrivate, downloads, history, limitersPrivate, management, operaBrowserPrivate, powerSavePrivate, richHintsAgentPrivate, settingsPrivate, speeddialPrivate, storage, tabs, uiTrackerPrivate, vpnProPrivate, windows, http://*/, https://*/',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk,boosterPrivate, cashbackPrivate, browserSidebarPrivate, downloads, history, limitersPrivate, management, operaBrowserPrivate, powerSavePrivate, richHintsAgentPrivate, settingsPrivate, speeddialPrivate, storage, tabs, uiTrackerPrivate, windows, http://*/, https://*/',
'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc,webRequest, http://*/*, https://*/*, tabs',
'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh,storage, https://www.googleapis.com/, tabs, *://*/*, background, cookies, *://*.google.com/*, webNavigation, webRequest, *://*.google-analytics.com/*, *://stats.g.doubleclick.net/*',
'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep,identity, identity.email, notifications, storage, tabs, <all_urls>',
'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo,<all_urls>, storage, unlimitedStorage, identity, syncFileSystem,',
'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg,<all_urls>, storage',
'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag,contextMenus, tabs, <all_urls>',
'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami,storage, webRequest, <all_urls>, tabs, webRequestBlocking',
'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop,webview, system.display, http://*/*, https://*/*, contextMenus, unlimitedStorage, storage, fileSystem, fileSystem.write, notifications, identity,',
'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp,tabs, http://*/*, https://*/*, webNavigation, webRequest, webRequestBlocking, storage, privacy',
'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh,activeTab, storage, unlimitedStorage, cookies, webRequest, webRequestBlocking, proxy, privacy, contentSettings, alarms, background, downloads, <all_urls>',
'true,,QuillBot for Chrome,iidnbdjijdkbmajdffnidomddglmieko,alarms, cookies, storage, activeTab, contextMenus, notifications, scripting',
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi,tabs, webNavigation, webRequest, storage, <all_urls>, cookies, alarms',
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm,contextMenus, privacy, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi,file:///*, http://*/*, https://*/*',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, http://*/*, https://*/*, storage',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, storage, scripting',
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi,<all_urls>, activeTab, background, contextMenus, notifications, storage, tabs, unlimitedStorage',
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb,https://*.reddit.com/*, tabs, history, storage, unlimitedStorage, webRequest',
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd,tabs, http://*/*, https://*/*, storage',
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne,contextMenus, identity, printerProvider, notifications, pageCapture, storage, tabs, webRequest, <all_urls>',
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj,tabs, contextMenus, cookies, storage',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd,tabs, activeTab, contextMenus, downloads, webNavigation, storage, debugger, <all_urls>',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, activeTab, storage, unlimitedStorage, alarms, scripting',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, <all_urls>, storage, unlimitedStorage',
'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko,tabs, unlimitedStorage',
'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp,tabs, storage',
'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd,clipboardRead, clipboardWrite',
'true,,Super Dark Mode,nlgphodeccebbcnkgmokeegopgpnjfkc,storage, <all_urls>, contextMenus',
'true,,Superhuman,dcgcnpooblobhncpnddnhoendgbnglpn,background, gcm, notifications, storage, system.cpu, system.display, system.memory, tabs, unlimitedStorage, <all_urls>',
'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi,storage, tabs, bookmarks, chrome://favicon/*',
'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh,contextMenus, sessions, storage, tabs',
'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk,identity, storage, tabs, webNavigation, webRequestBlocking, webRequest, http://*/, https://*/',
'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj,*://*/*, privacy, storage, unlimitedStorage, webNavigation, webRequest, webRequestBlocking',
'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh,storage, tabs, contextMenus, webRequest, webRequestBlocking, http://*.todoist.com/*, https://*.todoist.com/*, background, declarativeNetRequestWithHostAccess',
'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil,webRequest, webRequestBlocking, *://*/*, ws://*/*, wss://*/*',
'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh,*://*/*, <all_urls>',
'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig,system.network, clipboardRead, clipboardWrite, notifications, storage, unlimitedStorage,',
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn,tabs, <all_urls>, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage',
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf,activeTab, downloads, tabs, webNavigation, webRequest, http://*/, https://*/',
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, <all_urls>',
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications',
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb,<all_urls>, storage, cookies, notifications, desktopCapture, tabCapture, contextMenus, *://*.vimeo.com/',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, <all_urls>',
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*',
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,<all_urls>, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies',
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg,*://*.wisestamp.com/*, http://local.wisestamp.com:9081/*, https://local.wisestamp.com:8080/*, cookies',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle,unlimitedStorage, https://www.google.com/calendar/*, https://www.google.com/recaptcha/*, https://www.gstatic.com/recaptcha/*, https://calendar.google.com/calendar/*, https://*.zoom.us/*, https://*.zoom.com/*'
'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
'false,,base64 encode or decode selected text,',
'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip', -- Deprecated Google Extension
'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi', -- Deprecated Google Extension
'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk', -- Deprecated Google Extension
'false,,Google Drive,aghbiahbpaijignceidepookljebhfak', -- Deprecated Google Extension
'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg', -- Deprecated Google Extension
'false,julienv3@gmail.com,treasure-clicker,',
'false,juverm@chainguard.dev,auto-close-gitsign,',
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml', -- Deprecated Google Extension
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh',
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,Application Launcher For Drive (by Google),lmjegmlicamnimmfhcmpkclmigmmcbeh',
'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo',
'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh',
'true,,Canvas Blocker - Fingerprint Protect,nomnklagbgmgghhjidfhnoelnjfndfpd',
'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg',
'true,,Caret,fljalecfjciodhpcledpamjachpmelml',
'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai',
'true,,Chrome RDP for Google Cloud Platform,mpbbnannobiobpnfblimoapbephgifkm',
'true,,Chrome Remote Desktop,inomeogfingihgjfjlpeplalcfajhgai',
'true,,Chrome Web Store Payments,nmmhkkegccagdldgiimedpiccmgmieda',
'true,,Clear Cache,cppjkneekbjaeellbfkmgnhonkkjfpdn',
'true,,ClickUp: Tasks, Screenshots, Email, Time,pliibjocnfmkagafnbkfcimonlnlpghj',
'true,,Clockify Time Tracker,pmjeegjhjdlccodhacdgbgfagbpmccpe',
'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog',
'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp',
'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac',
'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo',
'true,,ColorPick Eyedropper,ohcpnigalekghcmgcdcenkpelffpdolg',
'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla',
'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg',
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd',
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje',
'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo',
'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep',
'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe',
'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb',
'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno',
'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge',
'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi',
'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf',
'true,,Google Hangouts,nckgahadagoaajjgafhacjanaoiihapd',
'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi',
'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki',
'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff',
'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci',
'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb',
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec',
'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag',
'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj',
'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj',
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn',
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok',
'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb',
'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa',
'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki',
'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn',
'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo',
'true,,Loom Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
'true,,Loom Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn',
'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl',
'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl',
'true,,Meta Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka',
'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk',
'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj',
'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb',
'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc',
'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh',
'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep',
'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo',
'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg',
'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag',
'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami',
'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop',
'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp',
'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh',
'true,,QuillBot for Chrome,iidnbdjijdkbmajdffnidomddglmieko',
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne',
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd',
'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea',
'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko',
'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp',
'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm',
'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd',
'true,,Super Dark Mode,nlgphodeccebbcnkgmokeegopgpnjfkc',
'true,,Superhuman,dcgcnpooblobhncpnddnhoendgbnglpn',
'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi',
'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh',
'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk',
'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj',
'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh',
'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil',
'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh',
'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig',
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
)
GROUP BY
exception_key

7
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -13,7 +13,9 @@ SELECT
p.pid,
p.name,
p.path,
p.cmdline,
p.cmdline AS p0_cmd,
p_p.cmdline AS p1_cmd,
p_p_p.cmdline AS p2_cmd,
p.cgroup_path,
datetime(file.mtime, 'unixepoch') AS mtime,
p.cwd,
@ -30,6 +32,8 @@ SELECT
FROM
listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
LEFT JOIN processes p_p ON p.parent = p_p.pid
LEFT JOIN processes p_p_p ON p_p.parent = p_p_p.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
WHERE
@ -167,5 +171,6 @@ WHERE
)
-- Exclude processes running inside of Docker containers
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
GROUP BY
exception_key

1
detection/privesc/unexpected-privilege-escalation_linux.sql
View File

@ -39,6 +39,7 @@ WHERE
'/usr/bin/doas',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/libexec/Xorg',
'/usr/bin/login',
'/usr/bin/su',
'/usr/bin/sudo',

1
detection/privesc/unexpected-privilege-escalation_macos.sql
View File

@ -37,6 +37,7 @@ WHERE
AND p.path NOT IN (
'',
'/bin/ps',
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
'/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/usr/bin/login',