Merge pull request #129 from tstromberg/fp3

False positives: Chrome extensions, Steam games, tmp files, Photoshop

detection/c2/unexpected-https-client-linux.sql

@@ -199,6 +199,7 @@ WHERE
     '500,/usr/lens,0u,0g,lens',
     '500,/usr/melange,u,g,melange',
     '500,/usr/nautilus,0u,0g,nautilus',
+    '500,/home/Melvor Idle,500u,500g,exe',
     '500,/usr/nix,0u,0g,nix',
     '500,/usr/node,0u,0g,node',
     '500,/usr/node,0u,0g,.node2nix-wrapp',

detection/c2/unexpected-talkers-linux.sql

@@ -130,6 +130,7 @@ WHERE
     '80,6,0,/usr/python3.10,0u,0g,yum',
     '80,6,0,/usr/python3.11,0u,0g,dnf',
     '80,6,0,/usr/python3.11,0u,0g,yum',
+    '80,6,0,/usr/cp,0u,0g,cp',
     '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
     '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '80,6,0,/usr/wget,0u,0g,wget',

detection/c2/unexpected-talkers-macos.sql

@@ -258,6 +258,7 @@ WHERE
     '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
     '443,6,500,trivy,a.out,',
     '31580,6,500,kubectl.1.23,a.out,',
+    '443,6,500,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,500,docker-index,docker-index,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '443,6,500,vegeta,a.out,',
     '443,6,500,policy-tester,a.out,',

detection/evasion/parent-missing-from-disk-linux.sql

@@ -45,6 +45,8 @@ WHERE
     '/usr/bin/alacritty',
     '/usr/bin/dockerd',
     '/usr/bin/fusermount3',
+    '/usr/bin/yay',
+    '/usr/bin/doas',
     '/usr/bin/gnome-shell',
     '/usr/lib/systemd/systemd'
   ) -- long-running launchers

detection/evasion/unexpected-hidden-system-folders.sql

@@ -1,4 +1,4 @@
--- Find unexpected hidden directories in operating-system folders
+-- Find unexpected hidden directories in operating-system foldersbin/
 --
 -- references:
 --   * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
@@ -92,6 +92,7 @@ WHERE
   AND file.path NOT LIKE '/tmp/.wine-%'
   AND file.path NOT LIKE '/tmp/.%.gcode'
   AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'
+  AND file.path NOT LIKE '/tmp/.io.nwjs.%'
   AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'
   AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
   AND file.path NOT LIKE '/tmp/.X1%-lock'

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -0,0 +1,156 @@
+-- Find unexpected executables in temp directories, often used by malware droppers
+--
+-- false positives:
+--   * developers building code out of /tmp
+--
+-- tags: persistent
+-- platform: posix
+SELECT file.path,
+  uid,
+  gid,
+  mode,
+  REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1) AS extension,
+  file.btime,
+  file.ctime,
+  file.mtime,
+  file.size,
+  hash.sha256,
+  magic.data
+FROM file
+  LEFT JOIN hash on file.path = hash.path
+  LEFT JOIN magic ON file.path = magic.path
+WHERE (
+    -- Recursive queries don't seem to work well with hidden directories :(
+    file.path LIKE '/tmp/%%'
+    OR file.path LIKE '/tmp/.%/%%'
+    OR file.path LIKE '/tmp/%/%%'
+    OR file.path LIKE '/tmp/%/%/.%'
+    OR file.path LIKE '/tmp/%/.%/%%'
+  )
+  AND file.type = 'regular'
+  AND file.path NOT LIKE '%/../%'
+  AND file.path NOT LIKE '%/./%'
+  AND (
+    file.mode LIKE '%7%'
+    or file.mode LIKE '%5%'
+    or file.mode LIKE '%1%'
+  )
+  AND NOT (
+    uid > 500
+    AND (
+      file.path LIKE '%/go-build%'
+      OR file.path LIKE '/tmp/checkout/%'
+      OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
+      OR file.path LIKE '/tmp/%/site-packages/markupsafe/_speedups.cpython-%'
+      OR file.path LIKE '/tmp/go.%.sum'
+      OR file.path LIKE '/tmp/guile-%/guile-%'
+      OR file.path LIKE '/tmp/src/%'
+      OR file.path LIKE '/tmp/%/src/%'
+      OR file.path LIKE '/tmp/%/git/%'
+      OR file.path LIKE '/tmp/%/ci/%'
+      OR file.path LIKE '/tmp/kots/%'
+      OR file.path LIKE '/tmp/terraformer/%'
+      OR file.path LIKE '/tmp/tmp.%'
+      OR file.path LIKE '%/bin/%-gen'
+      OR file.path LIKE '/tmp/%/target/debug/build/%'
+      OR file.path LIKE '%/ko/%'
+      OR file.path LIKE '%/pdf-tools/%'
+      OR file.path LIKE '%/tmp/epdf%'
+      OR file.path LIKE "/tmp/%/gradlew"
+      OR -- These regular expressions can be narrowed down
+      (
+        file.size < 50000
+        AND file.uid > 500
+        AND file.filename LIKE "%.%"
+        AND extension IN (
+          'adoc',
+          'bat',
+          'java',
+          'js',
+          'json',
+          'nib',
+          'log',
+          'strings',
+          'perl',
+          'pl',
+          'py',
+          'script',
+          'sh',
+          'txt',
+          'yaml',
+          'yml'
+        )
+      )
+    )
+  ) -- Nix
+  AND NOT (
+    file.directory LIKE '/tmp/tmp%'
+    AND gid = 0
+    AND uid > 300
+    AND uid < 350
+  ) -- Babel
+  AND NOT (
+    file.directory LIKE '/tmp/babel-%/sh-script-%'
+    AND gid > 900
+    AND uid = 1000
+    AND size < 1024
+  ) -- Random Testdata
+  AND NOT (
+    gid > 900
+    AND uid = 1000
+    AND (
+      file.directory LIKE '/tmp/%/test'
+      OR file.directory LIKE '/tmp/%/testdata'
+    )
+  ) -- Don't alert if the file is only on disk for a moment
+  AND NOT (
+    file.directory LIKE '/tmp/%'
+    AND (strftime('%s', 'now') - ctime) < 30
+  )
+  AND NOT (
+    uid > 500
+    AND file.path LIKE '/tmp/terraform_%/terraform'
+  )
+  AND NOT (
+    file.path LIKE '/tmp/%compressed'
+    AND size < 4000
+    AND uid > 500
+  ) -- Executables too small to even hold '#!/bin/sh\nuid'
+  AND NOT (
+    file.type = 'regular'
+    AND size < 10
+  )
+ -- Binaries we might actually see legitimately
+  AND NOT (
+    file.path LIKE '/tmp/%'
+    AND file.uid > 500
+    AND (
+      file.filename LIKE "%ctl"
+      OR file.filename LIKE "%adm"
+      OR file.filename LIKE "%-cli"
+    )
+  )
+
+  -- All checks with magic.data must first check for a lack of NULL value,
+  -- otherwise you filter out platforms without magic.data.
+  AND NOT (
+    file.uid > 500
+    AND magic.data IS NOT NULL
+    AND (
+      magic.data IN (
+        "POSIX shell script, ASCII text executable",
+        "JSON data"
+      )
+      OR magic.data LIKE "Unicode text%"
+      OR magic.data LIKE "gzip compressed data%"
+    )
+  )
+  AND NOT (
+    file.directory LIKE "%/lib"
+    OR file.directory LIKE "%/lib64"
+    AND file.uid > 500
+    AND (
+      file.filename LIKE "%.so.%"
+      OR file.filename LIKE "%.so"
+    )
+  )

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -4,7 +4,7 @@
 --   * developers building code out of /tmp
 --
 -- tags: persistent
--- platform: posix
+-- platform: macos
 SELECT file.path,
   uid,
   gid,
@@ -15,10 +15,13 @@ SELECT file.path,
   file.mtime,
   file.size,
   hash.sha256,
-  magic.data
+  magic.data,
+  signature.identifier,
+  signature.authority
 FROM file
   LEFT JOIN hash on file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
+  LEFT JOIN signature ON file.path = signature.path
 WHERE (
     -- Recursive queries don't seem to work well with hidden directories :(
     file.path LIKE '/tmp/%%'
@@ -49,8 +52,7 @@ WHERE (
       OR file.path LIKE '/tmp/terraformer/%'
       OR file.path LIKE '/tmp/tmp.%'
       OR file.path LIKE '%/bin/%-gen'
-      OR file.path LIKE '%/bin/%'
-      OR file.path LIKE '%/sbin/%'
+      OR file.path LIKE '/tmp/%-%/Photoshop Installer.app/Contents/%'
       OR file.path LIKE '%/CCLBS/%'
       OR file.path LIKE '/tmp/%/target/debug/build/%'
       OR file.path LIKE '%/ko/%'
@@ -66,7 +68,9 @@ WHERE (
           'java',
           'js',
           'json',
+          'nib',
           'log',
+          'strings',
           'perl',
           'pl',
           'py',
@@ -76,7 +80,7 @@ WHERE (
           'yaml',
           'yml'
         )
-        AND magic.data NOT LIKE "ELF 64-bit LSB%"
+        AND magic.data NOT LIKE "%Mach-O%"
       )
     )
   ) -- Nix
@@ -124,27 +128,9 @@ WHERE (
     AND magic.data = "POSIX shell script, ASCII text executable"
   )
   AND NOT (
-    (
-      file.directory LIKE "%/lib"
-      OR file.directory LIKE "%/lib64"
-    )
-    AND file.uid > 500
+    magic.data IS NOT NULL
     AND (
-      file.filename LIKE "%.so.%"
-      OR file.filename LIKE "%.so"
+        magic.data = 'JSON data'
+        OR magic.data LIKE 'ELF %-bit %SB executable%'
     )
-    AND (
-      magic.data LIKE "ELF 64-bit LSB shared object%"
-      OR magic.data LIKE "symbolic link to %"
-    )
-  ) -- Binaries we might actually see
-  AND NOT (
-    file.path LIKE '/tmp/%'
-    AND file.uid > 500
-    AND magic.data LIKE "ELF 64-bit LSB executable%"
-    AND (
-      file.filename LIKE "%ctl"
-      OR file.filename LIKE "%adm"
-      OR file.filename LIKE "%-cli"
-    )
-  )
+  )

detection/execution/unexpected-env-values-linux.sql

@@ -37,6 +37,7 @@ WHERE -- This time should match the interval
     AND NOT pe.value IN ('libfakeroot.so', '/usr/local/lib/libmimalloc.so')
     AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
     AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'
+    AND NOT pe.value LIKE ':/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so:/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so'
     AND NOT pe.value LIKE ':/snap/%'
     AND NOT pe.value LIKE '/app/bin/%'
     AND NOT pe.value LIKE 'libmozsandbox.so%'

detection/persistence/unexpected-chrome-extensions.sql

@@ -57,27 +57,29 @@ WHERE
     'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk,', -- Deprecated Google Extension
     'false,,Google Drive,aghbiahbpaijignceidepookljebhfak,', -- Deprecated Google Extension
     'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg,', -- Deprecated Google Extension
+    'false,julienv3@gmail.com,treasure-clicker,,',
     'false,juverm@chainguard.dev,auto-close-gitsign,,',
     'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension
     'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
     'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
     'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
     'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*',
-    'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb,<all_urls>, storage, cookies, notifications, desktopCapture, tabCapture, contextMenus, ://.vimeo.com/',
     'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, storage, webRequestBlocking',
     'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, webRequestBlocking',
-    'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi,tabs, webNavigation, webRequest, storage, <all_urls>, cookies, alarms',
     'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, tabs, downloads, nativeMessaging, webRequest, webNavigation, storage, scripting, alarms, declarativeNetRequest',
     'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*',
     'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, alarms, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
     'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
     'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, <all_urls>',
     'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
+    'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga,activeTab, alarms, bookmarks, contextMenus, history, notifications, scripting, storage, tabs, tts, unlimitedStorage, webNavigation',
     'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,activeTab, alarms, bookmarks, contextMenus, history, notifications, scripting, storage, tabs, tts, unlimitedStorage, webNavigation',
     'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,<all_urls>, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus',
     'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
     'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',
     'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage',
+    'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh,activeTab, alarms, browsingData, contextMenus, cookies, notifications, storage, tabs, <all_urls>',
+    'true,,Canvas Blocker - Fingerprint Protect,nomnklagbgmgghhjidfhnoelnjfndfpd,*://*/*, notifications, storage, webNavigation, contextMenus',
     'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,alarms, tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
     'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
     'true,,Caret,fljalecfjciodhpcledpamjachpmelml,clipboardRead, clipboardWrite, contextMenus, storage, notifications, syncFileSystem, app.window.fullscreen.overrideEsc,',
@@ -97,9 +99,10 @@ WHERE
     'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,https://app.copper.com/, *://*.googleusercontent.com/proxy/*, *://calendar.google.com/*, *://mail.google.com/*, notifications, storage, tabs, webRequest, webRequestBlocking',
     'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,https://app.copper.com/, webRequest, webRequestBlocking, *://mail.google.com/*, tabs, storage, notifications, *://calendar.google.com/*',
     'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg,storage, activeTab, <all_urls>, contextMenus, clipboardWrite',
+    "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja,tabs, storage, http://*/*, https://*/*, notifications, webRequest, webRequestBlocking, webNavigation",
+    'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd,tabs, cookies, scripting, storage',
     'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo,clipboardRead, clipboardWrite, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
     'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg,contextMenus, webRequest, webRequestBlocking, *://*/*, webNavigation, activeTab, tabs, storage, <all_urls>, alarms',
-    'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg,contextMenus, webRequest, webRequestBlocking, :///*, webNavigation, activeTab, tabs, storage, <all_urls>, alarms',
     'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg,tabs, <all_urls>, cookies, contextMenus, notifications, clipboardWrite, webRequest, webRequestBlocking',
     'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg,cookies, idle, nativeMessaging, storage, *://*.google.com/*, download, enterprise.reportingPrivate, browsingData, enterprise.deviceAttributes, enterprise.platformKeys, gcm, identity, identity.email, platformKeys',
     'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje,activeTab, tabs, storage, cookies, webRequest, webRequestBlocking, https://*.capitalone.com/*, http://*.capitalone.com/*',
@@ -123,7 +126,7 @@ WHERE
     'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec,nativeMessaging, tabs, contextMenus',
     'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag,tabs',
     'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
-    'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http:///, https:///',
+    'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
     'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp,webNavigation, webRequest, webRequestBlocking, tabs, cookies, storage, *://*/*, ftp://*/*',
     'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn,storage, unlimitedStorage, clipboardWrite, http://localhost:8545/, https://*.infura.io/, https://chainid.network/chains.json, https://lattice.gridplus.io/*, activeTab, webRequest, *://*.eth/, notifications',
     'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok,downloads, contextMenus, storage, tabs, unlimitedStorage, webNavigation',
@@ -142,6 +145,7 @@ WHERE
     'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl,<all_urls>, notifications, contextMenus, desktopCapture',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, scripting, alarms, webRequest, declarativeNetRequest, declarativeNetRequestFeedback, downloads, notifications',
+    'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
     'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk,activeTab, storage, cookies',
     'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj,clipboardRead, clipboardWrite, cookies, downloads, *://*.google.com/*, fileSystem, fileSystem.write, https://www.google-analytics.com/, https://www.googleapis.com/, identity, identity.email, metricsPrivate, storage, unlimitedStorage',
     'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb,tabs, cookies, https://*/, http://*/, storage, unlimitedStorage, webRequest, webRequestBlocking, webNavigation',
@@ -159,6 +163,7 @@ WHERE
     'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp,tabs, http://*/*, https://*/*, webNavigation, webRequest, webRequestBlocking, storage, privacy',
     'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh,activeTab, storage, unlimitedStorage, cookies, webRequest, webRequestBlocking, proxy, privacy, contentSettings, alarms, background, downloads, <all_urls>',
     'true,,QuillBot for Chrome,iidnbdjijdkbmajdffnidomddglmieko,alarms, cookies, storage, activeTab, contextMenus, notifications, scripting',
+    'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi,tabs, webNavigation, webRequest, storage, <all_urls>, cookies, alarms',
     'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm,contextMenus, privacy, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
     'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi,file:///*, http://*/*, https://*/*',
     'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, http://*/*, https://*/*, storage',
@@ -182,6 +187,7 @@ WHERE
     'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi,storage, tabs, bookmarks, chrome://favicon/*',
     'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh,contextMenus, sessions, storage, tabs',
     'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk,identity, storage, tabs, webNavigation, webRequestBlocking, webRequest, http://*/, https://*/',
+    'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj,*://*/*, privacy, storage, unlimitedStorage, webNavigation, webRequest, webRequestBlocking',
     'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh,storage, tabs, contextMenus, webRequest, webRequestBlocking, http://*.todoist.com/*, https://*.todoist.com/*, background, declarativeNetRequestWithHostAccess',
     'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil,webRequest, webRequestBlocking, *://*/*, ws://*/*, wss://*/*',
     'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh,*://*/*, <all_urls>',
@@ -191,6 +197,7 @@ WHERE
     'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, <all_urls>',
     'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications',
     'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
+    'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb,<all_urls>, storage, cookies, notifications, desktopCapture, tabCapture, contextMenus, *://*.vimeo.com/',
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, <all_urls>',
     'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',