Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
osquery query to find systems that have the compromised Mega Chrome Extension installed
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.
SELECT users.username,,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.