Merge pull request #433 from egibs/20241212-fpr

FPR for extensions, go build artifacts, pkpass files, signed authors, and more
2025-03-07 03:07:32 +00:00 · 2024-12-17 10:57:04 -05:00 · 2024-12-17 10:57:04 -05:00 · ac4a734ef7
commit ac4a734ef7
parent 73cc65a7eb fa6af88602
18 changed files with 79 additions and 49 deletions
--- a/detection/c2/unexpected-root-libcurl-proc-linux.sql
+++ b/detection/c2/unexpected-root-libcurl-proc-linux.sql
@ -10,7 +10,7 @@ SELECT
  CONCAT (
    p0.name,
    ',',
-    REPLACE(
+    REPLACE (
      p0.path,
      COALESCE(
        REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
@ -89,6 +89,7 @@ WHERE
    'ostree,/usr/bin/ostree,0,system.slice,ostree-finalize-staged-hold.service,0755',
    'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
    'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
+    'realmd,/usr/libexec/realmd,0,system.slice,realmd.service,0755',
    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,ublue-update.service,0755',
    'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -99,6 +99,7 @@ WHERE
    '8000,6,500,firefox,0u,0g,firefox',
    '80,6,500,vlc,0u,0g,vlc',
    '80,6,500,telegram-desktop,u,g,telegram-deskto',
+    '80,6,0,dnf5,0u,0g,dnf',
    '80,6,0,grep,0u,0g,grep',
    '80,6,0,incusd,0u,0g,incusd',
    '80,6,0,kmod,0u,0g,depmod',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -120,22 +120,23 @@ WHERE
  )
  -- port 0 means the connection has come and gone since the original process_open_sockets entry
  AND NOT unsigned_exception IN (
-      '500,0,0,gvproxy,gvproxy',
-      '500,0,0,Python,Python',
-      '500,6,0,gvproxy,gvproxy',
-      '500,6,80,chainlink,chainlink',
-      '500,17,53,gvproxy,gvproxy',
-      '500,17,53,gvproxy,gvproxy',
-      '500,6,32768,gvproxy,gvproxy',
-      '500,0,0,chainlink,chainlink',
-      '500,6,443,chainlink,chainlink',
-      '500,17,123,gvproxy,gvproxy',
-      '500,0,0,,',
-      '500,0,0,.Telegram-wrapped,.Telegram-wrapped',
-      '500,6,443,cloud_sql_proxy,cloud_sql_proxy',
-      '500,6,32768,cloud_sql_proxy,cloud_sql_proxy',
-      '500,0,0,jspawnhelper,jspawnhelper',
-      '500,6,0,fuscript,fuscript'
+    '500,0,0,gvproxy,gvproxy',
+    '500,0,0,Python,Python',
+    '500,6,0,gvproxy,gvproxy',
+    '500,6,80,chainlink,chainlink',
+    '500,17,53,gvproxy,gvproxy',
+    '500,17,53,gvproxy,gvproxy',
+    '500,6,443,gvproxy,gvproxy',
+    '500,6,32768,gvproxy,gvproxy',
+    '500,0,0,chainlink,chainlink',
+    '500,6,443,chainlink,chainlink',
+    '500,17,123,gvproxy,gvproxy',
+    '500,0,0,,',
+    '500,0,0,.Telegram-wrapped,.Telegram-wrapped',
+    '500,6,443,cloud_sql_proxy,cloud_sql_proxy',
+    '500,6,32768,cloud_sql_proxy,cloud_sql_proxy',
+    '500,0,0,jspawnhelper,jspawnhelper',
+    '500,6,0,fuscript,fuscript'
  )
 GROUP BY
  p0.cmdline
--- a/detection/credentials/unexpected-dev-opener-macos.sql
+++ b/detection/credentials/unexpected-dev-opener-macos.sql
@ -11,15 +11,15 @@ SELECT
  s.authority,
  s.identifier,
  CONCAT (
-    IIF(
+    IIF (
      REGEX_MATCH (pof.path, '(/dev/.*)\d+$', 1) != '',
      REGEX_MATCH (pof.path, '(/dev/.*)\d+', 1),
      pof.path
    ),
    ',',
-    REPLACE(
+    REPLACE (
      p0.path,
-      RTRIM(p0.path, REPLACE(p0.path, '/', '')),
+      RTRIM (p0.path, REPLACE (p0.path, '/', '')),
      ''
    ),
    ',',
@ -90,11 +90,13 @@ WHERE
    '/dev/bpf,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core',
    '/dev/bpf,packetbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),packetbeat',
    '/dev/bpf,com.bjango.istatmenus.daemon,Developer ID Application: Bjango Pty Ltd (Y93TK974AT),com.bjango.istatmenus',
+    '/dev/bus/usb/001/01,scdaemon',
    '/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
    '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
    '/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
    '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
    '/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd',
+    '/dev/cu.usbmodem10,serial-monitor,,a.out',
    '/dev/io,ControlCenter,Software Signing,com.apple.controlcenter',
    '/dev/bpf,MHLinkServer,Developer ID Application: Metric Halo Distribution, Inc. (X7EY8SFM86),com.mhlabs.mhlink.server',
    '/dev/io,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@ -58,7 +58,7 @@ WHERE
  )
  AND file.path NOT LIKE '%/../'
  AND file.path NOT LIKE '%/./' -- Avoid mentioning extremely temporary files
-  AND strftime('%s', 'now') - file.ctime > 20
+  AND strftime ('%s', 'now') - file.ctime > 20
  AND file.path NOT IN (
    '/.autorelabel',
    '/.cache/',
@ -78,6 +78,8 @@ WHERE
    '/.lesshst',
    '/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
    '/.mozilla/',
+    '/.nofollow/',
+    '/.resolve/',
    '/tmp/.accounts-agent/',
    '/tmp/.audio-agent/',
    '/tmp/.bazelci/',
--- a/detection/evasion/unexpected-kernel-extensions-macos.sql
+++ b/detection/evasion/unexpected-kernel-extensions-macos.sql
@ -29,3 +29,4 @@ WHERE
  AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
  AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'
  AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/UAD2System.kext,com.uaudio.driver.UAD2System,%'
+  AND exception_key NOT LIKE '/usr/appleinternal/standalone/platform,com.apple.sptm,24.2.0,'
--- a/detection/evasion/unexpected-user-shared-entries.sql
+++ b/detection/evasion/unexpected-user-shared-entries.sql
@ -20,7 +20,7 @@ SELECT
  file.gid,
  hash.sha256,
  magic.data,
-  RTRIM(
+  RTRIM (
    COALESCE(
      REGEX_MATCH (file.directory, '(/.*?/.*?/.*?/)', 1),
      file.directory
@ -83,7 +83,8 @@ WHERE
      '/Users/Shared/Previously Relocated Items',
      '/Users/Shared/Red Giant',
      '/Users/Shared/Relocated Items',
-      '/Users/Shared/TechSmith'
+      '/Users/Shared/TechSmith',
+      '/Users/Shared/Media Cache Files/'
    )
    OR file.path LIKE '/Users/Shared/Epic Games/%'
    OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
--- a/detection/evasion/unexpected-var-run-macos.sql
+++ b/detection/evasion/unexpected-var-run-macos.sql
@ -52,6 +52,7 @@ WHERE
    'hdiejectd.pid',
    'installd.commit.pid',
    'kdc.pid',
+    'MobileAssetCritialDomainsUpdated.plist',
    'prl_disp_service.pid',
    'prl_naptd.pid',
    'prl_desktop_services.lock',
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -9,17 +9,17 @@
 -- tags: transient seldom process filesystem state
 SELECT DISTINCT
  COALESCE(REGEX_MATCH (p0.path, '(.*)/', 1), p0.path) AS dir,
-  REPLACE(f.directory, u.directory, '~') AS homedir,
+  REPLACE (f.directory, u.directory, '~') AS homedir,
  COALESCE(
    REGEX_MATCH (
-      REPLACE(f.directory, u.directory, '~'),
+      REPLACE (f.directory, u.directory, '~'),
      '(~/.*?/.*?/.*?/)',
      1
    ),
-    REPLACE(f.directory, u.directory, '~')
+    REPLACE (f.directory, u.directory, '~')
  ) AS top3_homedir,
  REGEX_MATCH (
-    REPLACE(f.directory, u.directory, '~'),
+    REPLACE (f.directory, u.directory, '~'),
    '(~/.*?/)',
    1
  ) AS top_homedir,
@ -159,7 +159,8 @@ WHERE
    '~/.local/share/nvim/',
    '~/opentelemetry-operator/cmd/otel-allocator',
    '/opt/rapid7/ir_agent',
-    '~/.terraform.d/plugin-cache/registry.terraform.io/'
+    '~/.terraform.d/plugin-cache/registry.terraform.io/',
+    '~/zed/target/release/'
  )
  AND dir NOT LIKE '/Applications/%'
  AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
--- a/detection/execution/unexpected-long-running-security-framework-macos.sql
+++ b/detection/execution/unexpected-long-running-security-framework-macos.sql
@ -55,7 +55,7 @@ WHERE -- Focus on longer-running programs
    FROM
      processes
    WHERE
-      start_time < (strftime('%s', 'now') - 25200)
+      start_time < (strftime ('%s', 'now') - 25200)
      AND parent != 0 -- Assume STP
      AND NOT path LIKE '/System/%'
      AND NOT path LIKE '/usr/libexec/%'
@ -108,5 +108,6 @@ WHERE -- Focus on longer-running programs
  AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,'
  AND NOT exception_key LIKE '500,package-version-server-v%,package_version_server-%,'
  AND NOT exception_key LIKE '500,marksman-macos,marksman-%,'
+  AND NOT exception_key LIKE '500,___go_build_main_go,a.out,'
 GROUP BY
  p0.pid
--- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql
+++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
@ -44,7 +44,7 @@ WHERE
    FROM
      processes
    WHERE
-      start_time > (strftime('%s', 'now') - 7200)
+      start_time > (strftime ('%s', 'now') - 7200)
      AND path != ""
      AND NOT path LIKE '/System/%'
      AND NOT path LIKE '/usr/libexec/%'
@ -58,6 +58,7 @@ WHERE
      AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
      AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
      AND NOT path LIKE '/Users/%/.terraform/providers/%'
+      AND NOT path LIKE '/%/.local/zed.app/libexec/zed-editor'
    GROUP BY
      path
  )
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@ -13,7 +13,7 @@
 SELECT
  file.path,
  file.size,
-  datetime(file.btime, 'unixepoch') AS file_created,
+  datetime (file.btime, 'unixepoch') AS file_created,
  magic.data,
  hash.sha256,
  signature.identifier,
@ -35,7 +35,7 @@ WHERE
    OR mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.pkg'"
  )
  AND ea.key = 'where_from'
-  AND file.btime > (strftime('%s', 'now') -86400)
+  AND file.btime > (strftime ('%s', 'now') -86400)
  AND domain NOT IN (
    'adobe.com',
    'akmedia.digidesign.com',
@ -217,6 +217,7 @@ WHERE
    'obsproject.com',
    'opalcamera.com',
    'openai.com',
+    'packages.openvpn.net',
    'persistent.oaistatic.com',
    'portswigger-cdn.net',
    'posit.co',
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@ -11,13 +11,13 @@
 SELECT
  file.path,
  file.size,
-  datetime(file.btime, 'unixepoch') AS file_created,
+  datetime (file.btime, 'unixepoch') AS file_created,
  magic.data,
  hash.sha256,
  s.authority,
  s.identifier,
  LOWER(
-    REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1)
+    REGEX_MATCH (RTRIM (file.path, '/'), '.*\.(.*?)$', 1)
  ) AS extension
 FROM
  mdfind
@ -27,7 +27,7 @@ FROM
  LEFT JOIN signature s ON file.path = s.path
 WHERE
  mdfind.query = 'kMDItemWhereFroms == ''*https://mail.google.com/*'''
-  AND file.btime > (strftime('%s', 'now') -86400)
+  AND file.btime > (strftime ('%s', 'now') -86400)
  -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
  AND extension NOT IN (
    'ai',
@ -62,6 +62,7 @@ WHERE
    'pdf',
    'pem',
    'pgp',
+    'pkpass',
    'png',
    'potx',
    'ppt',
--- a/detection/persistence/unexpected-chrome-extensions.sql
+++ b/detection/persistence/unexpected-chrome-extensions.sql
@ -7,7 +7,8 @@
 --   * Almost unlimited: any extension that isn't on your whitelist
 --
 -- tags: persistent seldom browser
-SELECT name,
+SELECT
+  name,
  profile,
  chrome_extensions.description AS 'descr',
  persistent AS persists,
@ -34,11 +35,13 @@ SELECT name,
    identifier
  ) AS exception_key,
  hash.sha256
-FROM users
+FROM
+  users
  CROSS JOIN chrome_extensions USING (uid)
  LEFT JOIN file ON chrome_extensions.path = file.path
  LEFT JOIN hash ON chrome_extensions.path = hash.path
-WHERE state = 1
+WHERE
+  state = 1
  AND (
    (
      from_webstore != 'true'
@ -248,6 +251,7 @@ WHERE state = 1
    'true,,Moesif Origin/CORS Changer & API Logger,digfbfaphojjndkpccljibejjbppifbc',
    'true,Moustachauve,Cookie-Editor,hlkenndednhfkekhgcdicdfddnkalmdm',
    'true,,MQTTLens,hemojaaeigabkbcookmlgmdigohjobjm',
+    'true,,Nooks,kbbdibmbjngifdgbmlleelghocpeimhe',
    'true,,NordVPN - VPN proxy for privacy and security,fjoaledfpmneenckfbpdfhkmimnjocfa',
    'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka',
    'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
@ -387,4 +391,5 @@ WHERE state = 1
    )
    AND chrome_extensions.path LIKE '%/Microsoft Edge/%'
  )
-GROUP BY exception_key
+GROUP BY
+  exception_key
--- a/detection/persistence/unexpected-listening-port-linux.sql
+++ b/detection/persistence/unexpected-listening-port-linux.sql
@ -121,8 +121,10 @@ WHERE
    '443,6,500,jcef_helper',
    '4443,6,500,metrics-server',
    '5000,6,0,registry',
+    '5000,6,500,registry',
    '5000,6,500,ControlCenter',
    '5001,6,0,registry',
+    '5005,6,500,rootlesskit',
    '5050,6,500,rootlesskit',
    '53,17,0,coredns',
    '53,17,114,dnsmasq',
--- a/detection/persistence/unexpected-listening-port-macos.sql
+++ b/detection/persistence/unexpected-listening-port-macos.sql
@ -49,7 +49,7 @@ WHERE
    AND lp.port IN (8000, 8080)
    AND lp.protocol = 6
  ) -- Filter out unmapped raw sockets
-  AND NOT (p.pid == '') -- Exceptions: the uid is capped at 500 to represent regular users versus system users
+  AND NOT (p.pid = '') -- Exceptions: the uid is capped at 500 to represent regular users versus system users
  -- port is capped at 49152 to represent transient ports
  AND NOT exception_key IN (
    '10011,6,0,launchd,Software Signing',
@ -122,6 +122,7 @@ WHERE
    '49152,6,0,launchd,Software Signing',
    '49152,6,0,remoted,Software Signing',
    '49152,6,0,remotepairingdeviced,Software Signing',
+    '49152,6,500,Arduino IDE Helper,Developer ID Application: ARDUINO SA (7KT7ZWMCJT)',
    '49152,6,500,AUHostingServiceXPC_arrow,Software Signing',
    '49152,6,500,barrier',
    '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)',
@ -147,6 +148,8 @@ WHERE
    '49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)',
    '49152,6,500,Music,Software Signing',
    '49152,6,500,node,',
+    '49152,6,500,OmniFocus,Apple Mac OS Application Signing',
+    '49152,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)',
    '49152,6,500,qemu-system-aarch64,',
    '49152,6,500,rapportd,Software Signing',
    '49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
@ -185,6 +188,7 @@ WHERE
    '5990,6,500,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
    '6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)',
    '631,6,0,cupsd,Software Signing',
+    '6650,6,500,java,',
    '67,17,0,bootpd,Software Signing',
    '67,17,0,launchd,Software Signing',
    '68,17,0,configd,Software Signing',
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -12,7 +12,7 @@ SELECT
  CONCAT (
    p0.name,
    ',',
-    REPLACE(
+    REPLACE (
      p0.path,
      COALESCE(
        REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
@ -33,9 +33,9 @@ SELECT
    ',',
    f.mode
  ) AS exception_key,
-  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
-  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
-  (strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
+  DATETIME (f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME (f.mtime, 'unixepoch') AS p0_modified,
+  (strftime ('%s', 'now') - p0.start_time) AS p0_runtime_s,
  -- Child
  p0.pid AS p0_pid,
  p0.path AS p0_path,
@ -72,7 +72,7 @@ WHERE
  p0.euid = 0
  AND p0.parent > 0
  AND p0.path != ""
-  AND p0.start_time < (strftime('%s', 'now') - 1200)
+  AND p0.start_time < (strftime ('%s', 'now') - 1200)
  AND exception_key NOT IN (
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
@ -141,6 +141,7 @@ WHERE
    'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
    'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
    'dockerd,/usr/sbin/dockerd,0,system.slice,docker.service,0755',
+    'dockerd,/snap/docker/__VERSION__/bin/dockerd,0,system.slice,snap.docker.dockerd.service,0755',
    'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
    'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
    'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
@ -278,6 +279,7 @@ WHERE
    'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
    'python3,/usr/bin/python3.10,0,system.slice,system-dbus\x2d:1.1\x2dorg.pop_os.transition_system.slice,0755',
    'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
+    'python3,/usr/bin/python3.12,0,system.slice,dbus.service,0755',
    'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
    'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
    'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744',
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@ -11,9 +11,9 @@
 SELECT
  s.authority AS p0_auth,
  s.identifier AS p0_id,
-  DATETIME(f.ctime, 'unixepoch') AS p0_changed,
-  DATETIME(f.mtime, 'unixepoch') AS p0_modified,
-  (strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
+  DATETIME (f.ctime, 'unixepoch') AS p0_changed,
+  DATETIME (f.mtime, 'unixepoch') AS p0_modified,
+  (strftime ('%s', 'now') - p0.start_time) AS p0_runtime_s,
  -- Child
  p0.pid AS p0_pid,
  p0.path AS p0_path,
@ -54,7 +54,7 @@ WHERE -- Focus on longer-running programs
      processes
    WHERE
      euid = 0
-      AND start_time < (strftime('%s', 'now') - 900)
+      AND start_time < (strftime ('%s', 'now') - 900)
      AND parent != 0 -- Assume STP
      AND path NOT IN (
        '/Applications/Foxit PDF Reader.app/Contents/MacOS/FoxitPDFReaderUpdateService.app/Contents/MacOS/FoxitPDFReaderUpdateService',
@ -90,10 +90,12 @@ WHERE -- Focus on longer-running programs
        '/Library/PrivilegedHelperTools/com.prosofteng.DRInstaller',
        '/Library/PrivilegedHelperTools/licenseDaemon.app/Contents/MacOS/licenseDaemon',
        '/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer',
+        '/Library/PrivilegedHelperTools/com.kairos.awdltool.xpc',
        '/Library/SystemExtensions/0FDB5206-860F-465C-B4D3-D6A0F43F4302/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
        '/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
        '/Library/SystemExtensions/4D1BF33A-9817-45D7-A242-8C39810C7F11/com.redcanary.agent.securityextension.systemextension/Contents/MacOS/com.redcanary.agent.securityextension',
        '/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
+        '/Library/SystemExtensions/49C3C4AF-624C-4E94-992A-4B2B25ED328E/ch.protonvpn.mac.WireGuard-Extension.systemextension/Contents/MacOS/ch.protonvpn.mac.WireGuard-Extension',
        '/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
        '/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
        '/opt/socket_vmnet/bin/socket_vmnet',