Further reduction of false positives

2025-02-09 14:06:53 +00:00 · 2022-10-19 17:07:52 -04:00 · 2022-10-19 17:07:52 -04:00 · f6317c2af8
commit f6317c2af8
parent d8e91bac63
3 changed files with 130 additions and 125 deletions
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -5,8 +5,7 @@
 --
 -- tags: transient state net rapid
 -- platform: linux
-SELECT
-  s.family,
+SELECT s.family,
  protocol,
  s.local_port,
  s.remote_port,
@ -31,13 +30,11 @@ SELECT
    ',',
    p.name
  ) AS exception_key
-FROM
-  process_open_sockets s
+FROM process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
-WHERE
-  protocol > 0
+WHERE protocol > 0
  AND s.remote_port > 0
  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND s.remote_address NOT LIKE 'fe80:%'
@ -52,6 +49,91 @@ WHERE
  AND s.remote_address NOT LIKE '::ffff:10.%'
  AND s.remote_address NOT LIKE 'fc00:%'
  AND s.state != 'LISTEN' -- DNS clients
+  AND NOT (
+    (
+      remote_address LIKE '151.101.%'
+      OR remote_address LIKE '140.82.%'
+    )
+    AND remote_port = 443
+    AND protocol = 6
+    AND (
+      parent_path LIKE '/nix/%/bin/bash'
+      OR parent_path LIKE '/nix/%/bin/zsh'
+      OR parent_path LIKE '%/bin/nix'
+      OR p.path LIKE '/nix/store/%'
+    )
+  )
+  AND NOT p.cmdline LIKE 'bash --rcfile /tmp/nix-shell.%' -- Other more complicated situations
+  AND NOT (
+    p.name = 'rootlessport'
+    AND remote_port > 1024
+  )
+  AND NOT (
+    p.name = 'syncthing'
+    AND (
+      remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
+      OR remote_port > 1024
+    )
+  )
+  AND NOT (
+    p.name IN (
+      'chrome',
+      'Google Chrome Helper',
+      'Brave Browser Helper',
+      'Chromium Helper',
+      'Opera Helper'
+    )
+    AND remote_port IN (
+      53,
+      3100,
+      443,
+      80,
+      8006,
+      9000,
+      5004,
+      8009,
+      8080,
+      8888,
+      8443,
+      5228,
+      32211,
+      53,
+      10001,
+      3478,
+      19305,
+      19306,
+      19307,
+      19308,
+      19309
+    )
+  )
+  AND NOT (
+    p.name IN ('thunderbird')
+    AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
+  )
+  AND NOT (
+    p.name IN ('spotify', 'Spotify Helper', 'Spotify')
+    AND remote_port IN (53, 443, 8009, 4070, 32211)
+  )
+  AND NOT (
+    remote_port IN (443, 53)
+    AND p.name LIKE 'terraform-provider-%'
+  )
+  AND NOT (
+    remote_port IN (443, 53)
+    AND p.name LIKE 'npm exec %'
+  )
+  AND NOT (
+    remote_port iN (443, 53)
+    AND p.name LIKE 'kubectl.%'
+  )
+  AND NOT (
+    (
+      p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%'
+      OR p.cmdline LIKE "google-cloud-sdk/lib/googlecloudsdk/core/metrics_reporter.py"
+    )
+    AND remote_port IN (80, 53, 443)
+  )
  AND NOT (
    remote_port = 53
    AND protocol IN (6, 17)
@ -297,87 +379,4 @@ WHERE
    '9090,6,500,prometheus',
    '9090,6,500,rootlessport'
  )
-  AND NOT (
-    (
-      remote_address LIKE '151.101.%'
-      OR remote_address LIKE '140.82.%'
-    )
-    AND remote_port = 443
-    AND protocol = 6
-    AND (
-      parent_path LIKE '/nix/%/bin/bash'
-      OR parent_path LIKE '/nix/%/bin/zsh'
-      OR parent_path LIKE '%/bin/nix'
-      OR p.path LIKE '/nix/store/%'
-    )
-  )
-  AND NOT p.cmdline LIKE 'bash --rcfile /tmp/nix-shell.%' -- Other more complicated situations
-  AND NOT (
-    p.name = 'rootlessport'
-    AND remote_port > 1024
-  )
-  AND NOT (
-    p.name = 'syncthing'
-    AND (
-      remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
-      OR remote_port > 1024
-    )
-  )
-  AND NOT (
-    p.name IN (
-      'chrome',
-      'Google Chrome Helper',
-      'Brave Browser Helper',
-      'Chromium Helper',
-      'Opera Helper'
-    )
-    AND remote_port IN (
-      53,
-      3100,
-      443,
-      80,
-      8006,
-      9000,
-      5004,
-      8009,
-      8080,
-      8888,
-      8443,
-      5228,
-      32211,
-      53,
-      10001,
-      3478,
-      19305,
-      19306,
-      19307,
-      19308,
-      19309
-    )
-  )
-  AND NOT (
-    p.name IN ('thunderbird')
-    AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
-  )
-  AND NOT (
-    p.name IN ('spotify', 'Spotify Helper', 'Spotify')
-    AND remote_port IN (53, 443, 8009, 4070, 32211)
-  )
-  AND NOT (
-    remote_port IN (443, 53)
-    AND p.name LIKE 'terraform-provider-%'
-  )
-  AND NOT (
-    remote_port IN (443, 53)
-    AND p.name LIKE 'npm exec %'
-  )
-  AND NOT (
-    remote_port iN (443, 53)
-    AND p.name LIKE 'kubectl.%'
-  )
-  AND NOT (
-    p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%'
-    AND remote_port IN (80, 53, 443)
-  )
-GROUP BY
-  p.cmdline
+GROUP BY p.cmdline
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@ -7,6 +7,7 @@
 --   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
 --
 -- tags: transient often
+-- platform: posix
 SELECT
  p.pid,
  p.path,
@ -64,6 +65,7 @@ WHERE
      'as,~/.cache/yay',
      'c++,~/.cache/yay',
      'cc1plus,~/.cache/yay',
+      'npm install,~/.npm/_cacache',
      'mysqld,~/.local/share'
    )
    OR dir IN (
--- a/detection/persistence/unexpected-chrome-extensions.sql
+++ b/detection/persistence/unexpected-chrome-extensions.sql
@ -50,117 +50,121 @@ WHERE
  )
  AND enabled = 1
  AND exception_key NOT IN (
+    'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,,background', -- TODO: Move to local exceptions list once osqtool supports them
    'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi,', -- Deprecated Google Extension
    'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk,', -- Deprecated Google Extension
    'false,,Google Drive,aghbiahbpaijignceidepookljebhfak,', -- Deprecated Google Extension
    'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg,', -- Deprecated Google Extension
-    'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,,background', -- TODO: Move to local exceptions list once osqtool supports them
+    -- SUS
+    'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
    'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
    'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*',
    'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, webRequestBlocking',
+    'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*',
+    'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
+    'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, <all_urls>',
+    'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
+    'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
+    'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',
    'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage',
    'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
    'true,,Caret,fljalecfjciodhpcledpamjachpmelml,clipboardRead, clipboardWrite, contextMenus, storage, notifications, syncFileSystem, app.window.fullscreen.overrideEsc,',
+    'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai,https://dl.google.com/dl/edgedl/chromeos/recovery/recovery2.json, https://dl.google.com/dl/edgedl/chromeos/recovery/cloudready_recovery2.json, https://www.google-analytics.com/, chromeosInfoPrivate, feedbackPrivate, fileSystem, imageWriterPrivate, metricsPrivate, storage',
    'true,,Chrome RDP for Google Cloud Platform,mpbbnannobiobpnfblimoapbephgifkm,clipboardRead, clipboardWrite, unlimitedStorage, storage, notifications, overrideEscFullscreen,',
    'true,,Chrome Remote Desktop,inomeogfingihgjfjlpeplalcfajhgai,clipboardRead, clipboardWrite, nativeMessaging, downloads, downloads.open',
    'true,,Chrome Web Store Payments,nmmhkkegccagdldgiimedpiccmgmieda,identity, webview, https://www.google.com/, https://www.googleapis.com/*, https://payments.google.com/payments/v4/js/integrator.js, https://sandbox.google.com/payments/v4/js/integrator.js',
    'true,,Clear Cache,cppjkneekbjaeellbfkmgnhonkkjfpdn,browsingData, cookies, <all_urls>',
-    'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
    'true,,ClickUp: Tasks, Screenshots, Email, Time,pliibjocnfmkagafnbkfcimonlnlpghj,alarms, identity, storage, unlimitedStorage, tabs, activeTab, notifications, contextMenus, downloads, <all_urls>, http://*/*, https://*/*',
    'true,,Clockify Time Tracker,pmjeegjhjdlccodhacdgbgfagbpmccpe,background, contextMenus, storage, tabs, activeTab, identity, idle, notifications, scripting, alarms',
-    'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac,clipboardWrite, contextMenus, notifications, file://*, <all_urls>',
+    'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog,activeTab, https://calendar.google.com/calendar/*',
    'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp,clipboardRead, clipboardWrite',
+    'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac,clipboardWrite, contextMenus, notifications, file://*, <all_urls>',
    'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo,identity, , webview, , unlimitedStorage, storage, clipboardRead, clipboardWrite,',
    'true,,ColorPick Eyedropper,ohcpnigalekghcmgcdcenkpelffpdolg,activeTab, tabs, <all_urls>, storage, alarms',
+    'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,https://app.copper.com/, *://*.googleusercontent.com/proxy/*, *://calendar.google.com/*, *://mail.google.com/*, notifications, storage, tabs, webRequest, webRequestBlocking',
    'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla,https://app.copper.com/, webRequest, webRequestBlocking, *://mail.google.com/*, tabs, storage, notifications, *://calendar.google.com/*',
    'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg,storage, activeTab, <all_urls>, contextMenus, clipboardWrite',
    'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo,clipboardRead, clipboardWrite, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
-    'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg,contextMenus, webRequest, webRequestBlocking, :///*, webNavigation, activeTab, tabs, storage, <all_urls>, alarms',
    'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg,contextMenus, webRequest, webRequestBlocking, *://*/*, webNavigation, activeTab, tabs, storage, <all_urls>, alarms',
+    'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg,contextMenus, webRequest, webRequestBlocking, :///*, webNavigation, activeTab, tabs, storage, <all_urls>, alarms',
    'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg,tabs, <all_urls>, cookies, contextMenus, notifications, clipboardWrite, webRequest, webRequestBlocking',
    'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg,cookies, idle, nativeMessaging, storage, *://*.google.com/*, download, enterprise.reportingPrivate, browsingData, enterprise.deviceAttributes, enterprise.platformKeys, gcm, identity, identity.email, platformKeys',
    'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje,activeTab, tabs, storage, cookies, webRequest, webRequestBlocking, https://*.capitalone.com/*, http://*.capitalone.com/*',
    'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo,serial, audioCapture, videoCapture, , storage, http://*/, https://*/',
    'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep,https://www.google.com/calendar/*, https://calendar.google.com/*, storage',
+    'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe,cookies, nativeMessaging, privacy, storage, webRequest, webRequestBlocking, tabs, unlimitedStorage, notifications, <all_urls>',
+    'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb,<all_urls>, contextMenus, notifications, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking',
    'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc,tabs, webNavigation, webRequest, webRequestBlocking, storage, identity, *://*/*, clipboardWrite',
    'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge,webNavigation, <all_urls>',
-    'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg,*://*.wisestamp.com/*, http://local.wisestamp.com:9081/*, https://local.wisestamp.com:8080/*, cookies',
-    'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
    'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi,alarms, storage, unlimitedStorage, https://docs.google.com/*, https://drive.google.com/*',
    'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf,clipboardRead, clipboardWrite, notifications',
    'true,,Google Hangouts,nckgahadagoaajjgafhacjanaoiihapd,alarms, background, cookies, idle, notifications, storage, system.display, tabs, *://*.google.com/*',
-    'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki,fileSystem, identity, identity.email, storage, unlimitedStorage, https://*.googleapis.com/, https://keep.google.com/media/, https://*.googleusercontent.com/, https://*.client-channel.google.com/client-channel, https://clients4.google.com/client-channel/client, https://www.google-analytics.com/, https://www.google.com/, https://play.google.com/log, geolocation, management, notifications',
    'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi,activeTab, identity, identity.email, contextMenus, file://*/*, http://*/, https://*/, storage, tabs, unlimitedStorage',
+    'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki,fileSystem, identity, identity.email, storage, unlimitedStorage, https://*.googleapis.com/, https://keep.google.com/media/, https://*.googleusercontent.com/, https://*.client-channel.google.com/client-channel, https://clients4.google.com/client-channel/client, https://www.google-analytics.com/, https://www.google.com/, https://play.google.com/log, geolocation, management, notifications',
    'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff,alarms, tabs, webNavigation, *://*.google.com/',
    'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci,storage, debugger, webRequest, webRequestBlocking, tabs, http://*/, https://*/',
    'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb,clipboardWrite, unlimitedStorage',
    'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen,http://*/*, https://*/*, tabs, notifications, cookies, storage',
    'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec,nativeMessaging, tabs, contextMenus',
+    'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag,tabs',
    'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj,cookies, storage, unlimitedStorage, webRequest, webRequestBlocking, http://*/*, https://*/*',
    'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp,webNavigation, webRequest, webRequestBlocking, tabs, cookies, storage, *://*/*, ftp://*/*',
+    'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn,storage, unlimitedStorage, clipboardWrite, http://localhost:8545/, https://*.infura.io/, https://chainid.network/chains.json, https://lattice.gridplus.io/*, activeTab, webRequest, *://*.eth/, notifications',
+    'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok,downloads, contextMenus, storage, tabs, unlimitedStorage, webNavigation',
    'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb,https://calendar.google.com/*',
    'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa,*://*/*, <all_urls>',
+    'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki,storage, *://*.github.com/*',
+    'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo,storage, cookies, contextMenus, *://*.keepa.com/*, *://*.amazon.com/*, *://*.amzn.com/*, *://*.amazon.co.uk/*, *://*.amazon.de/*, *://*.amazon.fr/*, *://*.amazon.it/*, *://*.amazon.ca/*, *://*.amazon.com.mx/*, *://*.amazon.es/*, *://*.amazon.co.jp/*, *://*.amazon.in/*, *://*.amazon.com.br/*, *://*.amazon.nl/*, *://*.amazon.com.au/*',
+    'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd,tabs, idle, notifications, contextMenus, unlimitedStorage, webRequest, webNavigation, webRequestBlocking, http://*/*, https://*/*, chrome://favicon/*',
    'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo,<all_urls>, tabs, webNavigation, webRequest',
-    -- SUS
    'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,<all_urls>, tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
+    'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb,tabCapture, webNavigation, activeTab, contextMenus, storage, tabs, desktopCapture, notifications, cookies, *://*.useloom.com/, *://*.loom.com/, http://localhost/*',
    'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
    'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl,storage, clipboardWrite, <all_urls>',
+    'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
    'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk,activeTab, storage, cookies',
    'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj,clipboardRead, clipboardWrite, cookies, downloads, *://*.google.com/*, fileSystem, fileSystem.write, https://www.google-analytics.com/, https://www.googleapis.com/, identity, identity.email, metricsPrivate, storage, unlimitedStorage',
+    'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb,tabs, cookies, https://*/, http://*/, storage, unlimitedStorage, webRequest, webRequestBlocking, webNavigation',
    'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall,chrome://favicon/, unlimitedStorage, storage, tabs, contextMenus, activeTab',
+    'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk,boosterPrivate, cashbackPrivate, browserSidebarPrivate, downloads, history, limitersPrivate, management, operaBrowserPrivate, powerSavePrivate, richHintsAgentPrivate, settingsPrivate, speeddialPrivate, storage, tabs, uiTrackerPrivate, windows, http://*/, https://*/',
    'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh,storage, https://www.googleapis.com/, tabs, *://*/*, background, cookies, *://*.google.com/*, webNavigation, webRequest, *://*.google-analytics.com/*, *://stats.g.doubleclick.net/*',
    'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep,identity, identity.email, notifications, storage, tabs, <all_urls>',
+    'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo,<all_urls>, storage, unlimitedStorage, identity, syncFileSystem,',
    'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg,<all_urls>, storage',
    'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop,webview, system.display, http://*/*, https://*/*, contextMenus, unlimitedStorage, storage, fileSystem, fileSystem.write, notifications, identity,',
    'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp,tabs, http://*/*, https://*/*, webNavigation, webRequest, webRequestBlocking, storage, privacy',
    'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh,activeTab, storage, unlimitedStorage, cookies, webRequest, webRequestBlocking, proxy, privacy, contentSettings, alarms, background, downloads, <all_urls>',
    'true,,QuillBot for Chrome,iidnbdjijdkbmajdffnidomddglmieko,alarms, cookies, storage, activeTab, contextMenus, notifications, scripting',
+    'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm,contextMenus, privacy, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
    'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi,file:///*, http://*/*, https://*/*',
+    'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm,tabs, activeTab, contextMenus, http://*/*, https://*/*, storage',
+    'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb,https://*.reddit.com/*, tabs, history, storage, unlimitedStorage, webRequest',
    'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd,tabs, http://*/*, https://*/*, storage',
    'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne,contextMenus, identity, printerProvider, notifications, pageCapture, storage, tabs, webRequest, <all_urls>',
    'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj,tabs, contextMenus, cookies, storage',
-    'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
    'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read',
+    'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd,clipboardRead, clipboardWrite, contextMenus, idle, notifications, storage, terminalPrivate, unlimitedStorage, fileSystemProvider, accessibilityFeatures.read, crashReportPrivate, metricsPrivate',
    'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea,tabs, <all_urls>, storage, unlimitedStorage',
    'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko,tabs, unlimitedStorage',
    'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
    'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd,clipboardRead, clipboardWrite',
    'true,,Super Dark Mode,nlgphodeccebbcnkgmokeegopgpnjfkc,storage, <all_urls>, contextMenus',
    'true,,Superhuman,dcgcnpooblobhncpnddnhoendgbnglpn,background, gcm, notifications, storage, system.cpu, system.display, system.memory, tabs, unlimitedStorage, <all_urls>',
-    'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh,contextMenus, sessions, storage, tabs',
    'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi,storage, tabs, bookmarks, chrome://favicon/*',
+    'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh,contextMenus, sessions, storage, tabs',
    'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk,identity, storage, tabs, webNavigation, webRequestBlocking, webRequest, http://*/, https://*/',
    'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh,storage, tabs, contextMenus, webRequest, webRequestBlocking, http://*.todoist.com/*, https://*.todoist.com/*, background, declarativeNetRequestWithHostAccess',
+    'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh,*://*/*, <all_urls>',
    'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig,system.network, clipboardRead, clipboardWrite, notifications, storage, unlimitedStorage,',
    'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf,activeTab, downloads, tabs, webNavigation, webRequest, http://*/, https://*/',
    'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications',
    'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
-    'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,<all_urls>, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies',
-    'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle,unlimitedStorage, https://www.google.com/calendar/*, https://www.google.com/recaptcha/*, https://www.gstatic.com/recaptcha/*, https://calendar.google.com/calendar/*, https://*.zoom.us/*, https://*.zoom.com/*',
-    'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
-    'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',
-    'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*',
-    'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, <all_urls>',
-    'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
-    'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
-    'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',
-    'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai,https://dl.google.com/dl/edgedl/chromeos/recovery/recovery2.json, https://dl.google.com/dl/edgedl/chromeos/recovery/cloudready_recovery2.json, https://www.google-analytics.com/, chromeosInfoPrivate, feedbackPrivate, fileSystem, imageWriterPrivate, metricsPrivate, storage',
-    'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog,activeTab, https://calendar.google.com/calendar/*',
-    'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb,<all_urls>, contextMenus, notifications, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking',
-    'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag,tabs',
-    'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn,storage, unlimitedStorage, clipboardWrite, http://localhost:8545/, https://*.infura.io/, https://chainid.network/chains.json, https://lattice.gridplus.io/*, activeTab, webRequest, *://*.eth/, notifications',
-    'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok,downloads, contextMenus, storage, tabs, unlimitedStorage, webNavigation',
-    'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo,storage, cookies, contextMenus, *://*.keepa.com/*, *://*.amazon.com/*, *://*.amzn.com/*, *://*.amazon.co.uk/*, *://*.amazon.de/*, *://*.amazon.fr/*, *://*.amazon.it/*, *://*.amazon.ca/*, *://*.amazon.com.mx/*, *://*.amazon.es/*, *://*.amazon.co.jp/*, *://*.amazon.in/*, *://*.amazon.com.br/*, *://*.amazon.nl/*, *://*.amazon.com.au/*',
-    'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd,tabs, idle, notifications, contextMenus, unlimitedStorage, webRequest, webNavigation, webRequestBlocking, http://*/*, https://*/*, chrome://favicon/*',
-    'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
-    'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk,boosterPrivate, cashbackPrivate, browserSidebarPrivate, downloads, history, limitersPrivate, management, operaBrowserPrivate, powerSavePrivate, richHintsAgentPrivate, settingsPrivate, speeddialPrivate, storage, tabs, uiTrackerPrivate, windows, http://*/, https://*/',
-    'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo,<all_urls>, storage, unlimitedStorage, identity, syncFileSystem,',
-    'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm,contextMenus, privacy, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
-    'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb,https://*.reddit.com/*, tabs, history, storage, unlimitedStorage, webRequest',
-    'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh,*://*/*, <all_urls>',
-    'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb,tabs, cookies, https:///, http:///, storage, unlimitedStorage, webRequest, webRequestBlocking, webNavigation',
+    'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
+    'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest',
    'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*',
-    'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest'
+    'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,<all_urls>, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies',
+    'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg,*://*.wisestamp.com/*, http://local.wisestamp.com:9081/*, https://local.wisestamp.com:8080/*, cookies',
+    'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle,unlimitedStorage, https://www.google.com/calendar/*, https://www.google.com/recaptcha/*, https://www.gstatic.com/recaptcha/*, https://calendar.google.com/calendar/*, https://*.zoom.us/*, https://*.zoom.com/*'
  )
 GROUP BY
  exception_key