Forked from defensivedepth/osquery-compromised-mega-chrome-ext.sql
Created
March 30, 2024 12:47
-
-
Save kingjay66/c62aa60d9dafe9af8d7d454c0b5e2948 to your computer and use it in GitHub Desktop.
osquery query to find systems that have the compromised Mega Chrome Extension installed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating. | |
| SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment