defensivedepth/ATC-Chrome_History

## ATC-Chrome_History
# @DefensiveDepth
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.

# Further reading & reference:
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories

# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
   echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \

# Run osqueryi with the ATC configuration with the relevant query; output to json
   | osqueryi --config_path /tmp/config --json " select system_info.hostname,chrome_history.last_visited,chrome_history.url from chrome_history  cross join system_info limit 3;" \

 # Curl json to API endpoint - swap out endpoint before using!
   | curl -d @- https://webhook.site/f7c01e37-7ecf-45e1-bc80-5bd7530d67da


#Full command with no newlines
  echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config | osqueryi --config_path /tmp/config --json " select system_info.hostname,chrome_history.last_visited,chrome_history.url from chrome_history  cross join system_info limit 3;" | curl -d @- https://webhook.site/f7c01e37-7ecf-45e1-bc80-5bd7530d67da
	# @DefensiveDepth
	# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.

	# Further reading & reference:
	# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
	# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories

	# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
	echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \

	# Run osqueryi with the ATC configuration with the relevant query; output to json
	\| osqueryi --config_path /tmp/config --json " select system_info.hostname,chrome_history.last_visited,chrome_history.url from chrome_history cross join system_info limit 3;" \

	# Curl json to API endpoint - swap out endpoint before using!
	\| curl -d @- https://webhook.site/f7c01e37-7ecf-45e1-bc80-5bd7530d67da


	#Full command with no newlines
	echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \| osqueryi --config_path /tmp/config --json " select system_info.hostname,chrome_history.last_visited,chrome_history.url from chrome_history cross join system_info limit 3;" \| curl -d @- https://webhook.site/f7c01e37-7ecf-45e1-bc80-5bd7530d67da