Skip to content

Instantly share code, notes, and snippets.

Josh Brower defensivedepth

View GitHub Profile
defensivedepth / Logstash-Filter.conf
Created Feb 28, 2019
Logstash Filter for enriching osquery chrome extension data with CRXcavator (
View Logstash-Filter.conf
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
defensivedepth / logstash-osquery-shipped-WEL.conf
Created Dec 21, 2018
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
View logstash-osquery-shipped-WEL.conf
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
mutate {
# Remove the \\x0A
defensivedepth / logstash.conf
Created Oct 17, 2018
osquery & security onion Integration
View logstash.conf
# Place under /etc/logstash/custom, see here for more details:
filter {
if "osquery" in [tags] {
json {
source => message
target => osquery
defensivedepth / osquery-compromised-mega-chrome-ext.sql
Last active Sep 5, 2018
osquery query to find systems that have the compromised Mega Chrome Extension installed
View osquery-compromised-mega-chrome-ext.sql
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.
SELECT users.username,,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';

Keybase proof

I hereby claim:

  • I am defensivedepth on github.
  • I am defensivedepth ( on keybase.
  • I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693

To claim this, I am signing this object:

You can’t perform that action at this time.