Skip to content

Instantly share code, notes, and snippets.

@defensivedepth
Last active March 30, 2024 12:47
Show Gist options
  • Save defensivedepth/5ae8e4f220b0159e7212f8bbada190ce to your computer and use it in GitHub Desktop.
Save defensivedepth/5ae8e4f220b0159e7212f8bbada190ce to your computer and use it in GitHub Desktop.
osquery query to find systems that have the compromised Mega Chrome Extension installed
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.
SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment