Skip to content

Instantly share code, notes, and snippets.

@defensivedepth
Created July 19, 2019 22:45
Show Gist options
  • Save defensivedepth/6b79581a9739fa316b6f6d9f97baab1f to your computer and use it in GitHub Desktop.
Save defensivedepth/6b79581a9739fa316b6f6d9f97baab1f to your computer and use it in GitHub Desktop.
One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint
# @DefensiveDepth
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.
# Further reading & reference:
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories
# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \
# Run osqueryi with the ATC configuration with the relevant query; output to json
| osqueryi --config_path /tmp/config --json " select system_info.hostname,chrome_history.last_visited,chrome_history.url from chrome_history cross join system_info limit 3;" \
# Curl json to API endpoint - swap out endpoint before using!
| curl -d @- https://webhook.site/f7c01e37-7ecf-45e1-bc80-5bd7530d67da
#Full command with no newlines
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config | osqueryi --config_path /tmp/config --json " select system_info.hostname,chrome_history.last_visited,chrome_history.url from chrome_history cross join system_info limit 3;" | curl -d @- https://webhook.site/f7c01e37-7ecf-45e1-bc80-5bd7530d67da
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment