Josh Brower defensivedepth

## gist:748b1e8859c0559621eaeb30c3ea3322
event.dataset: "dce_rpc" |  groupby source.ip destination.ip event.module event.dataset dce_rpc.operation

## CIS-Benchmark-diff.py
# This script takes two CIS Benchmark PDFs as input and diffs them
# For example: It will generate a diff of the Win10 & W11 benchmarks

import fitz  # PyMuPDF
import re
import difflib
import sys
from datetime import datetime

def is_start_of_new_item(line):

## osquery-compromised-mega-chrome-ext.sql
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.

SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';
	# This script takes two CIS Benchmark PDFs as input and diffs them
	# For example: It will generate a diff of the Win10 & W11 benchmarks

	import fitz # PyMuPDF
	import re
	import difflib
	import sys
	from datetime import datetime

	def is_start_of_new_item(line):
	-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.

	SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';