Merge pull request #387 from tstromberg/fpr-sep24

fpr: cups, zed, pycharm, msedge, surfshark, ubiquiti

detection/c2/unexpected-dns-traffic-events.sql

@@ -87,6 +87,7 @@ WHERE
     'nuclei,1.0.0.1,53',
     'distnoted,8.8.8.8,53',
     'limactl,8.8.8.8,53',
+    'msedge,8.8.8.8,53',
     'adguard_dns,1.0.0.1,53',
     'coredns,8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',

detection/c2/unexpected-https-linux.sql

@@ -155,6 +155,7 @@ WHERE
     '500,com.docker.extensions,0u,0g,com.docker.exte',
     '500,containerd,u,g,containerd',
     '500,copilot-agent-linux,500u,500g,copilot-agent-l',
+    '500,copilot-language-server,500u,500g,copilot-languag',
     '500,copy-from-gs,500u,500g,copy-from-gs',
     '500,cosign,500u,500g,cosign',
     '500,cosign-linux-amd64,0u,0g,cosign',
@@ -207,6 +208,7 @@ WHERE
     '500,goa-daemon,0u,0g,goa-daemon',
     '500,___go_build_main_go,500u,500g,___go_build_mai',
     '500,gobuster,500u,500g,gobuster',
+    '500,goland,500u,500g,goland',
     '500,go,u,g,go',
     '500,grafana,u,g,grafana',
     '500,grype,0u,0g,grype',
@@ -279,6 +281,7 @@ WHERE
     '500,podman,0u,0g,podman',
     '500,promoter,500u,500g,promoter',
     '500,publish-release,500u,500g,publish-release',
+    '500,pycharm,500u,500g,pycharm',
     '500,python3,0u,0g,python3',
     '500,python3.10,0u,0g,aws',
     '500,python3.10,0u,0g,python',
@@ -335,6 +338,7 @@ WHERE
     '500,todoist,0u,0g,todoist',
     '500,trivy,0u,0g,trivy',
     '500,trivy,500u,500g,trivy',
+    '0,chainctl,500u,500g,chainctl',
     '500,ubuntu-report,0u,0g,ubuntu-report',
     '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '500,wget,0u,0g,wget',

detection/c2/unexpected-https-macos.sql

@@ -265,6 +265,7 @@ WHERE
       OR p0_cmd LIKE '%/google-cloud-sdk/platform/%'
       OR p0_cmd LIKE '%pip install%'
       OR p0_cmd LIKE '%pip3 install%'
+      OR p0_cmd LIKE '%__pip-runner__.py install%'
       OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
       OR p0_cmd LIKE '%/bin/aws%'
       OR p0_cmd LIKE "%/gsutil/gsutil %"
@@ -275,6 +276,7 @@ WHERE
       OR p0_cmd LIKE '%ipykernel_launcher %'
       OR p0_cmd LIKE '%/Python update_plugins.py'
       OR p0_cmd LIKE '%/pydevd.py'
+      OR p0_cmd LIKE '%anaconda-navigator%'
     )
   ) -- theScore and other iPhone apps
   AND NOT (

detection/c2/unexpected-talkers-linux.sql

@@ -87,9 +87,9 @@ WHERE
     '123,17,500,chronyd,0u,0g,chronyd',
     '4070,6,500,spotify,u,g,spotify',
     '49152,6,500,ContinuityCaptureAgent,Software Signing',
+    '587,6,500,perl,0u,0g,git-send-email',
     '67,17,0,NetworkManager,0u,0g,NetworkManager',
     '8000,6,500,brave,0u,0g,brave',
-    '587,6,500,perl,0u,0g,git-send-email',
     '8000,6,500,chrome,0u,0g,chrome',
     '8000,6,500,firefox,0u,0g,firefox',
     '80,6,0,grep,0u,0g,grep',
@@ -103,9 +103,10 @@ WHERE
     '80,6,0,pdftex,0u,0g,pdftex',
     '80,6,0,python3.10,0u,0g,dnf',
     '80,6,0,python3.10,0u,0g,dnf-automatic',
+    '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.10,0u,0g,yum',
     '80,6,0,python3.11,0u,0g,dnf',
-    '80,6,500,http,0u,0g,http',
+    '5222,6,500,msedge,0u,0g,msedge',
     '80,6,0,python3.11,0u,0g,dnf-automatic',
     '80,6,0,python3.11,0u,0g,yum',
     '80,6,0,python3.12,0u,0g,dnf',
@@ -138,13 +139,15 @@ WHERE
     '80,6,500,flatpak,0u,0g,flatpak',
     '80,6,500,git-remote-http,0u,0g,git-remote-http',
     '80,6,500,gnome-software,0u,0g,gnome-software',
+    '80,6,500,http,0u,0g,http',
     '80,6,500,http,u,g,http',
     '80,6,500,java,0u,0g,java',
     '80,6,500,java,u,g,java',
     '80,6,500,main,500u,500g,main',
     '80,6,500,mconvert,500u,500g,mconvert',
     '80,6,500,mediawriter,u,g,mediawriter',
     '80,6,500,melange,500u,500g,melange',
+    '80,6,500,msedge,0u,0g,msedge',
     '80,6,500,obs-browser-page,u,g,obs-browser-pag',
     '80,6,500,pacman,0u,0g,pacman',
     '80,6,500,python3.10,0u,0g,aws',

detection/c2/unexpected-talkers-macos.sql

@@ -125,6 +125,7 @@ WHERE
     '500,17,123,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
     '500,17,123,Garmin Express,Garmin Express,Developer ID Application: Garmin International (72ES32VZUA),com.garmin.renu.client',
     '500,17,32768,Luna Display,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K),com.astro-hq.LunaDisplayMac',
+    '500,17,68,com.docker.backend,com.docker.backend,500u,80g',
     '500,17,68,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
     '500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
     '500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager',
@@ -142,7 +143,6 @@ WHERE
     '500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos',
     '500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.rdc.macos',
     '500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
-    '500,17,68,com.docker.backend,com.docker.backend,500u,80g',
     '500,6,4317,flyctl,flyctl,,a.out',
     '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
@@ -154,6 +154,7 @@ WHERE
     '500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
     '500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,0u,0g',
     '500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
+    '500,6,5228,Fellow,Fellow,Developer ID Application: Fellow Insights, Inc. (2NF46HY8D8),com.electron.fellow',
     '500,6,7881,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed',
     '500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
     '500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
@@ -197,9 +198,10 @@ WHERE
     '500,6,80,thunderbird,thunderbird,Defveloper ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
     '500,6,80,TIDAL Helper,TIDAL Helper,Developer ID Application: TIDAL Music AS (GK2243L7KB),com.tidal.desktop.helper',
     '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
-    '500,6,8282,GeForceNOW,GeForceNOW,Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.gfnpc.mall',
     '500,6,80,Wavebox Helper,Wavebox Helper,Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
+    '500,6,80,WhatsApp,WhatsApp,Apple Mac OS Application Signing,net.whatsapp.WhatsApp',
     '500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp',
+    '500,6,8282,GeForceNOW,GeForceNOW,Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.gfnpc.mall',
     '500,6,9123,Elgato Control Center,Elgato Control Center,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.corsair.ControlCenter',
     '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
     '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
@@ -253,16 +255,16 @@ WHERE
       OR pos.remote_port > 1024
     )
     AND id_exception_key IN (
+      'Apple Mac OS Application Signing,com.buildtoconnect.screenrecorder',
       'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
       'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
-      'Apple Mac OS Application Signing,com.buildtoconnect.screenrecorder',
-      'Developer ID Application: AMZN Mobile LLC (94KV3E626L),lima__bin__limactl',
+      'Apple Mac OS Application Signing,net.whatsapp.WhatsApp',
       'Apple Mac OS Application Signing,net.whatsapp.WhatsApp.ServiceExtension',
       'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
       'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
       'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC',
-      'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer',
       'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
+      'Developer ID Application: AMZN Mobile LLC (94KV3E626L),lima__bin__limactl',
       'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
       'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
@@ -271,35 +273,38 @@ WHERE
       'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
       'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
       'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
+      'Developer ID Application: Fellow Insights, Inc. (2NF46HY8D8),com.electron.fellow',
       'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
       'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
       'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
-      'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer',
       'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
       'Developer ID Application: GUILHERME RAMBO (8C7439RJLG),codes.rambo.AirBuddy.MobileDevicesService',
       'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop',
-      'Developer ID Application: SURFSHARK LTD (YHUG37CKN8),com.surfshark.vpnclient.macos.direct',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
+      'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer',
       'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R),at.obdev.littlesnitch.networkextension',
       'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
       'Developer ID Application: Oracle America, Inc. (VB5E2TV963),net.java.openjdk.java',
       'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
       'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W),com.privateinternetaccess.vpn',
       'Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),gvproxy',
       'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio',
+      'Developer ID Application: Signal Messenger, LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
       'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
       'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
       'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
       'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
+      'Developer ID Application: TeamDev Ltd. (K436KHQ6D5),com.teamdev.Chromium',
+      'Developer ID Application: SURFSHARK LTD (YHUG37CKN8),com.surfshark.vpnclient.macos.direct',
       'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
       'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.camtasia2024',
       'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',

detection/credentials/unexpected-dev-opener-linux.sql

@@ -131,7 +131,6 @@ WHERE
     '/dev/input,systemd',
     '/dev/input,systemd-logind',
     '/dev/input,thermald',
-    '/dev/shm,msedge',
     '/dev/input,upowerd',
     '/dev/input,Xorg',
     '/dev/net,tailscaled',
@@ -150,6 +149,7 @@ WHERE
     '/dev/shm,java',
     '/dev/shm,jcef_helper',
     '/dev/shm,Melvor Idle',
+    '/dev/shm,msedge',
     '/dev/shm,osqueryd',
     '/dev/shm,reaper',
     '/dev/shm,slack',
@@ -204,12 +204,12 @@ WHERE
     '/dev/sda,ntfs-3g',
     '/dev/shm/envoy_shared_memory_1,envoy',
     '/dev/tpmrm,launcher',
-    '/dev/udmabuf,gnome-shell-portal-helper',
     '/dev/tty,agetty',
     '/dev/tty,gdm-wayland-session',
     '/dev/tty,gdm-x-session',
     '/dev/tty,systemd-logind',
     '/dev/tty,Xorg',
+    '/dev/udmabuf,gnome-shell-portal-helper',
     '/dev/uhid,bluetoothd',
     '/dev/uinput,bluetoothd',
     '/dev/usb/hiddev,apcupsd',
@@ -224,6 +224,7 @@ WHERE
     '/dev/video,firefox',
     '/dev/video,firefox-bin',
     '/dev/video,guvcview',
+    '/dev/video,msedge',
     '/dev/video,obs',
     '/dev/video,obs-ffmpeg-mux',
     '/dev/video,pipewire',

detection/discovery/unexpected-bpf-user.sql

@@ -39,6 +39,7 @@ WHERE
   AND p.path NOT IN (
     '/usr/bin/qemu-system-x86_64',
     '/usr/lib/systemd/systemd',
+    '/var/opt/Elastic/Endpoint/elastic-endpoint',
     '/opt/Elastic/Endpoint/elastic-endpoint'
   )
   AND p.cmdline != '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc'

detection/evasion/hidden-executable.sql

@@ -54,6 +54,7 @@ WHERE
   AND NOT f.directory LIKE '%/.config/nvm/%/bin'
   AND NOT f.directory LIKE '%/.cursor/%'
   AND NOT f.directory LIKE '%/.deno/bin'
+  AND NOT f.directory LIKE '%/thinkorswim/.install4j/jre.bundle/Contents/Home/bin'
   AND NOT f.directory LIKE '%/.devpod/contexts/%'
   AND NOT f.directory LIKE '%/.linuxbrew/Cellar/%/bin'
   AND NOT f.directory LIKE '%/.docker/cli-plugins'

detection/evasion/name_path_mismatch.sql

@@ -76,16 +76,17 @@ WHERE
   ) -- Extremely common and unpredictable process name setters
   AND NOT base_letters IN (
     'bash',
-    'dash',
     'busybox',
+    'dash',
     'electron',
     'firefox',
+    'gjs',
     'node',
-    'vim',
     'perl',
     'python',
     'ruby',
-    'thunderbird'
+    'thunderbird',
+    'vim'
   )
   AND NOT exception_key IN (
     '0,udevadm,systemd-udevd',

detection/evasion/parent-missing-from-disk-linux.sql

@@ -61,6 +61,7 @@ WHERE
     '/usr/bin/kitty',
     '/usr/lib/electron22/electron',
     '/usr/bin/osqueryd',
+    '/usr/bin/make',
     '/usr/bin/ninja',
     '/usr/bin/cmake',
     '/usr/libexec/gvfsd',
@@ -82,6 +83,8 @@ WHERE
   AND NOT p1.name IN (
     'bash',
     'dnf',
+    'ninja',
+    'make',
     'electron',
     'gnome-terminal',
     'fish',

detection/evasion/ssh-notty.sql

@@ -51,4 +51,5 @@ WHERE
   AND child_name NOT IN ('', 'zfs')
   AND child_cmd NOT LIKE '%osquery-defense-kit%make verify'
   AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify'
+  AND grandchild_name NOT IN ('unison')
   AND cmd != 'sshd: docker@notty'

detection/evasion/unexpected-etc-executables.sql

@@ -155,6 +155,7 @@ WHERE
   )
   AND file.path NOT IN (
     '/etc/auto.net',
+    '/etc/auto.smb',
     '/etc/cloud/clean.d/99-installer',
     '/etc/cloud/clean.d/99-installer-use-networkmanager',
     '/etc/grub2.cfg',

detection/evasion/unusual-process-name-linux.sql

@@ -97,6 +97,7 @@ WHERE
   AND p0.path NOT LIKE "/nix/store/%"
   AND basename NOT IN (
     "acpid",
+    "busybox",
     "com.docker.backend",
     "com.docker.build",
     "com.docker.extensions",

detection/execution/exotic-commands-linux.sql

@@ -121,12 +121,13 @@ WHERE
       p0.cmdline LIKE '%sh -i'
       AND NOT p0.path = '/usr/bin/docker'
       AND NOT p1.name IN (
-        'sh',
-        'java',
-        'containerd-shim',
         'code',
-        'goland',
+        'containerd-shim',
         'emacs',
+        'goland',
+        'java',
+        'pycharm',
+        'sh',
         'vim',
         'vim.nox'
       )

detection/execution/recently-created-executables-long-lived-linux.sql

@@ -61,6 +61,7 @@ WHERE
     '/opt/Lens/chrome_crashpad_handler',
     '/opt/Lens/lens',
     '/opt/sublime_text/sublime_text',
+    '/usr/lib64/discord/Discord',
     '/usr/lib64/electron/electron',
     '/usr/lib64/firefox/firefox',
     '/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
@@ -78,6 +79,7 @@ WHERE
     '/usr/libexec/fwupd/fwupd',
     '/usr/libexec/gnome-shell-calendar-server',
     '/usr/libexec/gstreamer-1.0/gst-plugin-scanner',
+    '/usr/libexec/gvfsd-metadata',
     '/usr/libexec/ibus-dconf',
     '/usr/libexec/ibus-engine-simple',
     '/usr/libexec/ibus-extension-gtk3',
@@ -92,7 +94,6 @@ WHERE
     '/usr/lib/fwupd/fwupd',
     '/usr/lib/gdm',
     '/usr/lib/gdm-session-worker',
-    '/usr/lib64/discord/Discord',
     '/usr/lib/gdm-x-session',
     '/usr/lib/gnome-shell-calendar-server',
     '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',

detection/execution/unexpected-env-values-macos.sql

@@ -26,7 +26,8 @@ WHERE -- This time should match the interval
   p.start_time > (strftime('%s', 'now') - 60)
   AND (
     key = 'HISTFILE'
-    AND NOT VALUE LIKE '/Users/%/.%_history'
+    AND NOT value LIKE '/Users/%/.%_history'
+    AND NOT value = '~/.tramp_history'
   )
   OR (
     key = 'LD_PRELOAD'

detection/execution/unexpected-execdir-macos.sql

@@ -134,28 +134,30 @@ WHERE
     '~/.steampipe/',
     '~/.supermaven/',
     '~/.tflint.d/',
+    '~/thinkorswim/',
     '~/.Trash/',
     '~/.vscode/',
     '~/.vs-kubernetes/',
     '~/workspace/'
   )
   AND NOT top3_homedir IN (
+    '~/anaconda3/Anaconda-Navigator.app/Contents/',
+    '~/.cache/selenium/chromedriver/',
     '/Library/Application Support/EcammLive',
-    '/Library/Developer/Xcode/',
-    '/opt/rapid7/ir_agent',
-    '~/.local/share/bob/',
-    '~/.local/share/nvim/',
-    '~/.terraform.d/plugin-cache/registry.terraform.io/',
     '~/Library/Arduino15/packages/',
-    '~/Library/Caches/Cypress/',
-    '~/Library/Caches/JetBrains/',
     '~/Library/Caches/com.grammarly.ProjectLlama/',
     '~/Library/Caches/com.mimestream.Mimestream/',
     '~/Library/Caches/com.sempliva.Tiles/',
+    '~/Library/Caches/Cypress/',
+    '~/Library/Caches/JetBrains/',
     '~/Library/Caches/org.gpgtools.updater/',
     '~/Library/Caches/snyk/',
+    '/Library/Developer/Xcode/',
     '~/Library/Services/UE4EditorServices.app/',
-    '~/anaconda3/Anaconda-Navigator.app/Contents/'
+    '~/.local/share/bob/',
+    '~/.local/share/nvim/',
+    '/opt/rapid7/ir_agent',
+    '~/.terraform.d/plugin-cache/registry.terraform.io/'
   )
   AND dir NOT LIKE '/Applications/%'
   AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'