diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 43933db..588f964 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -104,6 +104,7 @@ WHERE AND basename NOT IN ( 'adguard_dns', 'apk', + 'agentbeat', 'apko', 'chrome', 'com.apple.WebKit.Networking', @@ -112,6 +113,8 @@ WHERE 'wolfictl', 'gvproxy', 'incusd', + 'helm', + 'terraform-provi', 'IPNExtension', 'Jabra Direct Helper', 'limactl', diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index b4523cb..31f791d 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -330,6 +330,8 @@ WHERE '500,terraform,500u,500g,terraform', '500,terraform-ls,500u,500g,terraform-ls', '500,thunderbird,0u,0g,thunderbird', + '500,wolfi-package-status,500u,500g,wolfi-package-s', + '500,github-desktop,0u,0g,github-desktop', '500,thunderbird-bin,u,g,thunderbird-bin', '500,thunderbird,u,g,thunderbird', '500,tidal-hifi,u,g,tidal-hifi', diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index d16b0ae..83e2c0e 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -145,7 +145,9 @@ WHERE '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer', '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out', '500,syncthing,syncthing,,syncthing', + '500,apko,apko,,a.out', '500,.Telegram-wrapped,.Telegram-wrapped,,Telegram', + '500,java,java,Developer ID Application: Azul Systems, Inc. (TDTHCUPYFR),com.azul.zulu.java', '500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli', '500,WebexHelper,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper', '500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed' diff --git a/detection/c2/unexpected-root-libcurl-proc-macos.sql b/detection/c2/unexpected-root-libcurl-proc-macos.sql index b43c0f4..5cf08b3 100644 --- a/detection/c2/unexpected-root-libcurl-proc-macos.sql +++ b/detection/c2/unexpected-root-libcurl-proc-macos.sql @@ -43,11 +43,13 @@ WHERE p0.euid = 0 AND pmm.path LIKE '%libcurl%' AND p0.name NOT IN ( - 'nix-daemon', + 'ir_agent', 'nix', - 'velociraptor', + 'nix-daemon', 'osqueryd', - 'socket_vmnet' + 'rapid7_endpoint_broker', + 'socket_vmnet', + 'velociraptor' ) GROUP BY p0.pid diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index a525af2..d2f6012 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -260,11 +260,12 @@ WHERE 'Apple Mac OS Application Signing,com.ookla.speedtest-macos', 'Apple Mac OS Application Signing,net.whatsapp.WhatsApp', 'Apple Mac OS Application Signing,net.whatsapp.WhatsApp.ServiceExtension', + 'Developer ID Application: AMZN Mobile LLC (94KV3E626L),lima__bin__limactl', + 'Developer ID Application: AMZN Mobile LLC (94KV3E626L),net.java.openjdk.java', 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer', - 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader', - 'Developer ID Application: AMZN Mobile LLC (94KV3E626L),lima__bin__limactl', + 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC', 'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension', 'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper', @@ -273,19 +274,19 @@ WHERE 'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP', 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker', - 'Developer ID Application: Fellow Insights, Inc. (2NF46HY8D8),com.electron.fellow', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices', + 'Developer ID Application: Fellow Insights, Inc. (2NF46HY8D8),com.electron.fellow', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2', + 'Developer ID Application: GUILHERME RAMBO (8C7439RJLG),codes.rambo.AirBuddy.MobileDevicesService', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension', - 'Developer ID Application: GUILHERME RAMBO (8C7439RJLG),codes.rambo.AirBuddy.MobileDevicesService', 'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop', + 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper', - 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition', @@ -297,15 +298,16 @@ WHERE 'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd', 'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W),com.privateinternetaccess.vpn', 'Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),gvproxy', + 'Developer ID Application: SUPERHUMAN LABS INC. (6XHFYUTQGX),com.superhuman.electron', + 'Developer ID Application: SURFSHARK LTD (YHUG37CKN8),com.surfshark.vpnclient.macos.direct', 'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio', 'Developer ID Application: Signal Messenger, LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer', 'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper', 'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper', - 'Developer ID Application: TeamDev Ltd. (K436KHQ6D5),com.teamdev.Chromium', - 'Developer ID Application: SURFSHARK LTD (YHUG37CKN8),com.surfshark.vpnclient.macos.direct', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension', + 'Developer ID Application: TeamDev Ltd. (K436KHQ6D5),com.teamdev.Chromium', 'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.camtasia2024', 'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020', 'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2024', diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index 0391ab9..13d8683 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -89,6 +89,7 @@ WHERE '/dev/bpf,airportd,Software Signing,com.apple.airport.airportd', '/dev/bpf,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core', '/dev/bpf,packetbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),packetbeat', + '/dev/bpf,com.bjango.istatmenus.daemon,Developer ID Application: Bjango Pty Ltd (Y93TK974AT),com.bjango.istatmenus', '/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product', '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd', '/dev/console,launchd,Software Signing,com.apple.xpc.launchd', diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 3df2cbb..2f509a8 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -166,6 +166,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR magic.data LIKE 'ELF 64-bit MSB pie executable, IBM S/390%' OR magic.data LIKE 'ELF 32-bit LSB pie executable, ARM, EABI5%' OR magic.data LIKE 'symbolic link to %' + OR magic.data LIKE 'Linux kernel %' ) ) AND NOT ( diff --git a/detection/execution/recently-created-executables-long-lived-linux.sql b/detection/execution/recently-created-executables-long-lived-linux.sql index fb7c4e0..2579ca4 100644 --- a/detection/execution/recently-created-executables-long-lived-linux.sql +++ b/detection/execution/recently-created-executables-long-lived-linux.sql @@ -53,6 +53,8 @@ WHERE -- What I would give for osquery to support binary signature verification on Linux AND NOT p0.path IN ( '', + '/bin/bash', + '/bin/sh', '/bin/containerd', '/bin/containerd-shim-runc-v2', '/opt/google/chrome/chrome', diff --git a/detection/execution/unexpected-env-values-linux.sql b/detection/execution/unexpected-env-values-linux.sql index 250cb89..caa9e1e 100644 --- a/detection/execution/unexpected-env-values-linux.sql +++ b/detection/execution/unexpected-env-values-linux.sql @@ -51,6 +51,7 @@ WHERE -- This time should match the interval AND NOT pe.value LIKE '/home/%/.%_history' AND NOT pe.value LIKE '~/.%_history' AND NOT pe.value LIKE '%/.histfile' + AND NOT pe.value LIKE '/root/.%_history' ) OR ( pe.key = 'LD_PRELOAD' diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 6dc0583..74f0ef6 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -191,6 +191,7 @@ WHERE '500,sdmicmute,sdmicmute,', '500,sdzoomplugin,,', '500,serial-discovery,a.out,', + '500,Keeper Password Manager Helper (GPU),com.callpod.keepermac.lite.helper,Apple Mac OS Application Signing', '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql index da7d11f..453ca2c 100644 --- a/detection/execution/unexpected-setuid-binaries.sql +++ b/detection/execution/unexpected-setuid-binaries.sql @@ -132,6 +132,10 @@ FROM '/bin/atrm', '/bin/chage', '/bin/chfn', + '/sbin/mount.cifs', + '/sbin/mount.smb3', + '/usr/sbin/mount.cifs', + '/usr/sbin/mount.smb3', '/bin/chsh', '/bin/crontab', '/bin/doas', diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 7ad8f4e..bdd9e02 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -64,6 +64,7 @@ WHERE 'ZwiftAppMetal', 'ZwiftAppSilicon', 'apko', + 'Meeting Center', 'baloo_file', 'baloo_file_extr', 'bash', @@ -105,6 +106,7 @@ WHERE 'kube-controller', 'kube-scheduler', 'kue', + 'goland', 'launcher', 'mediawriter', 'melange', @@ -118,6 +120,7 @@ WHERE 'ollama', 'Autodesk Identity Manager', 'ollama-runer', + 'ollama_llama_server', 'osqueryd', 'osqueryi', 'plasmashell', diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index abfa24e..1cb5aa1 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -67,6 +67,7 @@ WHERE 'figma_agent', 'nvim', 'old', + 'rpm-ostree', 'OrbStack Helper', 'sg-nvim-agent', 'stable', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index f9fc5c2..f60a70d 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -225,6 +225,7 @@ WHERE 'stclairsoft.s3.amazonaws.com', 'store.steampowered.com', 'superkey.app', + 'superhuman.com', 'tableplus.com', 'textexpander.com', 'transmissionbt.com', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 80ec480..7e5abdf 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -159,8 +159,10 @@ WHERE 'sshd', 'steam_osx', 'swift', + 'gosec', 'systemd', 'terminator', + 'kandji-library-manager', 'terraform', 'terraform-provi', 'test2json', @@ -199,6 +201,7 @@ WHERE '/Applications/RStudio.app/Contents/Resources/app/bin/rsession-arm64', '/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos', '/bin/dash', + '/usr/bin/less', '/usr/bin/networksetup', '/bin/sh', '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent', @@ -253,6 +256,10 @@ WHERE p1.name = 'sshd' AND p0.cmdline LIKE '%askpass%' ) + AND NOT ( + p1.name = '(udev-worker)' + AND p0.cmdline LIKE '/bin/sh -c echo % > /sys/bus/usb/drivers/brcmfmac/new_id' + ) AND NOT ( p1.name = 'steam' AND p0.cmdline LIKE 'sh -c %steamwebhelper.sh%' diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql index c5eb0fc..a6d2d86 100644 --- a/detection/initial_access/unexpected-webmail-downloads.sql +++ b/detection/initial_access/unexpected-webmail-downloads.sql @@ -74,6 +74,7 @@ WHERE 'wav', 'webp', 'xls', + 'xlsb', 'xlsm', 'xlsx', 'xml', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 10182f1..c3b90d3 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -61,6 +61,7 @@ WHERE 'apache2.service,The Apache HTTP Server,', 'apcupsd.service,APC UPS Power Control Daemon for Linux,', 'apparmor.service,Load AppArmor profiles,', + 'vnstat.service,vnStat network traffic monitor,vnstat', 'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),', 'apport-autoreport.service,Process error reports when automatic reporting is enabled,', 'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 309e40c..765caed 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -279,6 +279,7 @@ WHERE 'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi', 'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm', 'true,,Readwise,egfepjgjabnppmaiadpedbgadkcelcbd', + 'true,,Fellow: Meeting Notes, Agendas, and 1-on-1s,nomeamlnnhgiickcddocjalmlhdfknpo', 'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi', 'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb', 'true,,Redux DevTools,lmhkpmbekcpmknklioeibfkpmmfibljd', @@ -288,6 +289,7 @@ WHERE 'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd', 'true,,SABconnect++,okphadhbbjadcifjplhifajfacbkkbod', 'true,,Salesforce,jjghhkepijgakdammjldcbnjehfkfmha', + 'true,,Video Downloader PLUS,njgehaondchbmjmajphnhlojfnbfokng', 'true,,SalesLoft Connect,cffgjgigjfgjkfdopbobbdadaelbhepo', 'true,,SalesLoft Connect - Legacy,cffgjgigjfgjkfdopbobbdadaelbhepo', 'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne', diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index c1777a2..29c3f66 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -85,6 +85,7 @@ WHERE '/Library/Application Support/WirelessAutoImport/WirelessImporterDaemon', '/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer', '/opt/homebrew/bin/gitsign-credential-cache', + '/opt/homebrew/opt/emacs/bin/emacs --fg-daemon', '/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf', '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080', '/opt/homebrew/opt/mariadb/bin/mysqld_safe', @@ -95,6 +96,7 @@ WHERE '/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock', '/usr/local/MacGPG2/libexec/fixGpgHome' ) + AND program_arguments NOT LIKE '/opt/homebrew/opt/%/bin/%' AND program_arguments NOT LIKE '/opt/homebrew/opt/mongodb-community%/bin/mongod --config /opt/homebrew/etc/mongod.conf' AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller' AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh' diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 0a4725a..fe36868 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -322,6 +322,7 @@ WHERE 'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700', 'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755', 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', + 'just,/usr/bin/just,0,user.slice,user-1000.slice,0755', 'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755', diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 610b53e..65eb716 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -87,6 +87,7 @@ WHERE -- Focus on longer-running programs '/Library/PrivilegedHelperTools/com.fortinet.forticlient.macos.PrivilegedHelper', '/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent', '/Library/PrivilegedHelperTools/keybase.Helper', + '/Library/PrivilegedHelperTools/com.prosofteng.DRInstaller', '/Library/PrivilegedHelperTools/licenseDaemon.app/Contents/MacOS/licenseDaemon', '/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer', '/Library/SystemExtensions/0FDB5206-860F-465C-B4D3-D6A0F43F4302/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension', @@ -318,14 +319,13 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)', 'Developer ID Application: Foxit Corporation (8GN47HTP75)', - 'Developer ID Application: SURFSHARK LTD (YHUG37CKN8)', 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: Google LLC (EQHXZ8M8AV)', 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', 'Developer ID Application: Kandji, Inc. (P3FGV63VK7)', 'Developer ID Application: Keybase, Inc. (99229SGT5K)', - 'Developer ID Application: Kolide, Inc (X98UFR7HA3)', 'Developer ID Application: Kolide Inc (YZ3EM74M78)', + 'Developer ID Application: Kolide, Inc (X98UFR7HA3)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: MacPaw Inc. (S8EX82NJP6)', 'Developer ID Application: Mersive Technologies (63B5A5WDNG)', @@ -333,15 +333,17 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', 'Developer ID Application: Mullvad VPN AB (CKG9MXH72F)', 'Developer ID Application: Nordvpn S.A. (W5W395V82Y)', + 'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)', + 'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', 'Developer ID Application: Objective-See, LLC (VBG97UB4TA)', 'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)', - 'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)', - 'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', + 'Developer ID Application: PROSOFT Engineering, Inc. (L2JPZL6629)', 'Developer ID Application: Parallels International GmbH (4C6364ACXT)', 'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)', 'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', 'Developer ID Application: Ryan Hanson (XSYZ3E4B7D)', + 'Developer ID Application: SURFSHARK LTD (YHUG37CKN8)', 'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)', 'Developer ID Application: Tailscale Inc. (W5364U7YZB)', 'Developer ID Application: Tenable, Inc. (4B8J598M7U)',