Merge pull request #302 from tstromberg/fpr-sep1

False positive flush for common issues seen in August

detection/c2/unexpected-dns-traffic-events.sql

@@ -74,6 +74,9 @@ WHERE
     'coredns,0.0.0.0,53',
     'syncthing,46.162.192.181,53',
     'Socket Process,8.8.8.8,53',
+    'com.docker.backend,8.8.8.8,53',
+    'ZoomPhone,8.8.8.8,53',
+    'ZaloCall,8.8.8.8,53',
     'Meeting Center,8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',
@@ -90,6 +93,8 @@ WHERE
     'Jabra Direct Helper',
     'nessusd',
     'apko',
+    'IPNExtension',
+    'mDNSResponder',
     'melange',
     'com.apple.WebKit.Networking',
     'apk',

detection/c2/unexpected-https-linux.sql

@@ -87,10 +87,13 @@ WHERE
     '0,pacman,0u,0g,pacman',
     '0,python3.10,0u,0g,dnf',
     '0,python3.10,0u,0g,dnf-automatic',
+    '500,synergy,0u,0g,synergy',
     '0,python3.10,0u,0g,yum',
     '0,python3.11,0u,0g,dnf',
     '0,python3.11,0u,0g,dnf-automatic',
     '0,python3.11,0u,0g,yum',
+    '0,yay,0u,0g,yay',
+    '500,kioslave5,0u,0g,kioslave5',
     '0,rpi-imager,0u,0g,rpi-imager',
     '0,snapd,0u,0g,snapd',
     '0,systemctl,0u,0g,systemctl',
@@ -291,6 +294,7 @@ WHERE
   ) -- Exceptions where we have to be more flexible for the process name
   AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
+  AND NOT exception_key LIKE '500,python3.%,0u,0g,pip'
   AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
   AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
   AND NOT (

detection/c2/unexpected-https-macos.sql

@@ -109,6 +109,7 @@ WHERE
     '0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
     '0,Install,Install,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Install',
     '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
+    '0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
     '0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
     '0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon',
     '0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
@@ -128,6 +129,7 @@ WHERE
     '500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
     '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
     '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
+    '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
     '500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
     '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
     '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
@@ -159,8 +161,8 @@ WHERE
   )
   AND NOT exception_key LIKE '500,tor-%-darwin-brave-%,tor-%-darwin-brave-%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),tor-%-darwin-brave-%'
   AND NOT alt_exception_key IN (
-    '0,velociraptor,velociraptor,0u,80g',
     '0,velociraptor,velociraptor,0u,0g',
+    '0,velociraptor,velociraptor,0u,80g',
     '500,apko,apko,0u,0g',
     '500,apko,apko,500u,20g',
     '500,aws,aws,0u,0g',
@@ -169,6 +171,7 @@ WHERE
     '500,chainctl,chainctl,500u,20g',
     '500,chainlink,chainlink,500u,20g',
     '500,cilium,cilium,500u,123g',
+    '500,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
     '500,cosign,cosign,0u,500g',
     '500,cosign,cosign,500u,20g',
     '500,cosign,cosign,500u,80g',
@@ -182,6 +185,7 @@ WHERE
     '500,gitsign,gitsign,500u,20g',
     '500,go,go,500u,80g',
     '500,.man-wrapped,.man-wrapped,0u,500g',
+    '500,pprof,pprof,500u,80g',
     '500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
     '500,sdaudioswitch,sdaudioswitch,500u,20g',
     '500,sdzoomplugin,sdzoomplugin,500u,20g',
@@ -205,6 +209,7 @@ WHERE
     AND (
       p0_cmd LIKE '%/gcloud.py%'
       OR p0_cmd LIKE '%/google-cloud-sdk/bin/%'
+      OR p0_cmd LIKE '%/google-cloud-sdk/platform/%'
       OR p0_cmd LIKE '%pip install%'
       OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
       OR p0_cmd LIKE '%/bin/aws%'

detection/c2/unexpected-libcurl-user-linux.sql

@@ -67,6 +67,7 @@ WHERE
   p0.euid = 0
   AND pmm.path LIKE '%libcurl%'
   AND NOT exception_key IN (
+    'dnf-automatic,/usr/bin/python__VERSION__,0,system.slice,dnf-automatic-install.service,0755',
     'dnf,/usr/bin/python__VERSION__,0,system.slice,dnf-makecache.service,0755',
     'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
     'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
@@ -78,6 +79,8 @@ WHERE
     'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
     'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
     'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
+    'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
+    'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
     'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
     'virtqemud,/usr/sbin/virtqemud,0,system.slice,virtqemud.service,0755',
     'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',

detection/c2/unexpected-talkers-linux.sql

@@ -165,6 +165,7 @@ WHERE
     '80,6,0,zstd,0u,0g,zstd',
     '80,6,100,http,0u,0g,http',
     '80,6,105,http,0u,0g,http',
+    '80,6,42,http,0u,0g,http',
     '80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
     '80,6,500,brave,0u,0g,brave',
     '80,6,500,chrome,0u,0g,chrome',
@@ -236,6 +237,13 @@ WHERE
     AND s.protocol = 6
     AND p.euid > 500
   )
+  AND NOT (
+    p.name = 'java'
+    AND p.cmdline LIKE '/home/%/PhpStorm%'
+    AND s.remote_port > 1024
+    AND s.protocol = 6
+    AND p.euid > 500
+  )
   AND NOT (
     p.name = 'syncthing'
     AND f.filename = 'syncthing'

detection/c2/unexpected-talkers-macos.sql

@@ -117,6 +117,7 @@ WHERE
   )
   AND NOT exception_key IN (
     '0,6,5228,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
+    '0,6,80,fcconfig,fcconfig,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fcconfig',
     '0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
     '500,17,123,Garmin Express,Garmin Express,Developer ID Application: Garmin International (72ES32VZUA),com.garmin.renu.client',
     '500,17,68,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
@@ -128,7 +129,9 @@ WHERE
     '500,6,2869,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
     '500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
     '500,6,32400,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
+    '500,6,9123,Elgato Control Center,Elgato Control Center,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.corsair.ControlCenter',
     '500,6,32768,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
+    '500,6,3306,dbeaver,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
     '500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos',
     '500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
     '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
@@ -149,9 +152,11 @@ WHERE
     '500,6,80,Google Drive Helper,Google Drive Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.drivefs.helper',
     '500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
     '500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
+    '500,6,80,jcef Helper,jcef Helper,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),org.jcef.jcef.helper',
     '500,6,80,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
     '500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
     '500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
+    '500,6,80,Loom Helper,Loom Helper,Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop.helper',
     '500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,6,80,rpi-imager,rpi-imager,Developer ID Application: Floris Bos (WYH7G79LM6),org.raspberrypi.imagingutility',
     '500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
@@ -204,14 +209,16 @@ WHERE
       'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
       'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
+      'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
       'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
+      'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
-      'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
       'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
+      'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
       'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
       'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
       'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',

detection/collection/excess-google-drive-folder-exports-macos.sql

@@ -18,6 +18,11 @@ WHERE
   mdfind.query = "kMDItemWhereFroms == 'https://*-drive-data-export.googleusercontent.com*' AND 'kMDItemFSCreationDate >= $time.now(-604800)'"
   -- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately
   AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -604800)
--- "GROUP BY" should be unnecessary, but Kolide seems to require it
-GROUP BY ea.key  
-HAVING total_size > (100*1024*1024) OR num_exports > 1
+  -- "GROUP BY" should be unnecessary, but Kolide seems to require it
+GROUP BY
+  ea.key
+HAVING
+  total_size > (100 * 1024 * 1024)
+  OR num_exports > 1
+ORDER BY
+  file.path ASC

detection/collection/high-disk-bytes-written.sql

@@ -57,6 +57,7 @@ WHERE
     '/opt/homebrew/bin/qemu-system-aarch64',
     '/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
     '/usr/bin/apt',
+    '/usr/lib/baloo_file',
     '/usr/bin/aptd',
     '/usr/bin/bash',
     '/usr/bin/bwrap',

detection/credentials/macos_keyboard_sniffer.sql

@@ -66,11 +66,11 @@ WHERE
     'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
     'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
     'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
+    'osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)',
     'skhd,skhd,',
-    'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)',
-    'TextExpander,com.smileonmymac.textexpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL)',
-    'osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)'
+    'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
+    'TextExpander,com.smileonmymac.textexpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL)'
   )
 GROUP BY
   p0.path

detection/credentials/unexpected-dev-opener-macos.sql

@@ -82,6 +82,7 @@ WHERE
     '/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
     '/dev/autofs,automountd,Software Signing,com.apple.automountd',
     '/dev/bpf,airportd,Software Signing,com.apple.airport.airportd',
+    '/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
     '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
     '/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
     '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',

detection/evasion/empty_root_environ_linux.sql

@@ -50,6 +50,7 @@ WHERE
     'nginx',
     'osqueryi',
     'realmd',
+    'dbus-daemon',
     'sedispatch',
     'ssh',
     'sshd',

detection/evasion/hidden-executable.sql

@@ -59,6 +59,8 @@ WHERE
   AND NOT f.directory LIKE '%/.rustup/%'
   AND NOT f.directory LIKE '%/.terraform'
   AND NOT f.directory LIKE '%/.terraform/%'
+  AND NOT f.directory LIKE '%/.docker/cli-plugins'
+  AND NOT f.directory LIKE '%/.cursor/%'
   AND NOT f.directory LIKE '%/.tflint.d/%'
   AND NOT f.directory LIKE '%/.vs-kubernetes/%'
   AND NOT f.directory LIKE '%/.vscode/extensions/%'

detection/evasion/hidden-home-libappsupport.sql

@@ -83,13 +83,9 @@ WHERE
   -- Capture One
   AND NOT (
     file.mode = "0666"
-    AND size > 2000
+    AND size > 1200
     AND size < 4000
-    AND REGEX_MATCH (
-      ".085520434CB685DE008C8DBAB6A46215",
-      "^(\.[0-9A-Z]{32})$",
-      0
-    ) != ""
+    AND REGEX_MATCH (file.filename, "^(\.[0-9A-Z]{32})$", 0) != ""
   )
 GROUP BY
   file.path

detection/evasion/hidden-home-library-dir.sql

@@ -39,6 +39,10 @@ WHERE
     '~/Library/Accessibility/.com.apple.RTTTranscripts_SUPPORT/_EXTERNAL_DATA',
     '~/Library/Finance/.finance_cloud_SUPPORT/_EXTERNAL_DATA',
     '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/com.apple.groupkitd/.syncedGroupStore_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/com.apple.groupkitd/.syncedGroupStore_SUPPORT/_EXTERNAL_DATA/',
+    '~/Library/Preferences/.wrangler',
     '~/Library/Group Containers/.SiriTodayViewExtension/Library',
     '~/Library/Group Containers/.SiriTodayViewExtension',
     '~/Library/Saved Searches/.DockTags',

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -93,7 +93,10 @@ WHERE
     'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
     'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0'
   )
+  AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
+  AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501'
   AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
+  AND NOT exception_key LIKE ',net.java.openjdk.java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
   AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
   AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501'
   AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'

detection/evasion/unexpected-etc-executables.sql

@@ -92,6 +92,7 @@ WHERE
     '/etc/periodic/daily',
     '/etc/periodic/monthly',
     '/etc/periodic/weekly',
+    '/etc/cloud/clean.d/99-installer-use-networkmanager',
     '/etc/pinentry',
     '/etc/pm/sleep.d',
     '/etc/pop-os/update-motd.d',

detection/evasion/unexpected-hidden-system-paths.sql

@@ -75,6 +75,7 @@ WHERE
     '/.mozilla/',
     '/tmp/.accounts-agent/',
     '/tmp/.audio-agent/',
+    '/tmp/.SIGN.RSA..local-melange.rsa.pub',
     '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
     '/tmp/.content-agent/',
     '/tmp/._contentbarrier_installed',
@@ -149,6 +150,7 @@ WHERE
   AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
   AND file.path NOT LIKE '/tmp/.#%'
   AND file.path NOT LIKE '/tmp/.lark_cache_%'
+  AND file.path NOT LIKE '/tmp/.cdx.json%'
   AND file.path NOT LIKE '/tmp/.wine-%'
   AND file.path NOT LIKE '/tmp/.%.gcode'
   AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -87,15 +87,12 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           OR file.path LIKE '/tmp/com.apple.installer%'
           OR file.path LIKE '%/tmp/epdf%'
           OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
-          OR file.filename IN (
-            'mysqld_exporter',
-            'goreleaser'
-          )
+          OR file.filename IN ('mysqld_exporter', 'goreleaser')
         )
       )
       -- Melange
       AND NOT file.directory LIKE '/tmp/melange-guest-%'
-       -- Nix
+      -- Nix
       AND NOT (
         file.directory LIKE '/tmp/tmp%'
         AND gid = 0
@@ -156,6 +153,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         AND file.uid > 500
         AND extension IN (
           'adoc',
+          'md',
           'bat',
           'java',
           'js',

detection/evasion/unexpected-user-shared-entries.sql

@@ -46,9 +46,11 @@ WHERE
     OR file.path IN (
       '/Users/Shared/.BetaEnrollmentData.plist',
       '/Users/Shared/.betamigrated',
+      '/Users/Shared/.com.intego.reporting.plist',
       '/Users/Shared/.DS_Store',
       '/Users/Shared/.ks.intego_metrics_2.plist',
       '/Users/Shared/.localized',
+      '/Users/Shared/.userfonts.cachedb',
       '/Users/Shared/CleanMyMac X/.licence',
       '/Users/Shared/LogiTuneInstallerStarted.txt',
       '/Users/Shared/.NSVolumeHeap',
@@ -59,6 +61,7 @@ WHERE
       '/Users/Shared/AdobeGCData',
       '/Users/Shared/AdobeGCInfo',
       '/Users/Shared/Audiority',
+      '/Users/Shared/UnrealEngine',
       '/Users/Shared/Canon_Inc_IC',
       '/Users/Shared/CleanMyMac X',
       '/Users/Shared/CleanMyMac X Menu',