I hereby claim:
- I am defensivedepth on github.
- I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
- I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693
To claim this, I am signing this object:
Josh Brower defensivedepth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Place under /etc/logstash/custom, see here for more details: | |
| # https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash | |
| filter { | |
| if "osquery" in [tags] { | |
| json { | |
| source => message | |
| target => osquery | |
| } |
defensivedepth
/ osquery-compromised-mega-chrome-ext.sql
Last active
March 30, 2024 12:47
osquery query to find systems that have the compromised Mega Chrome Extension installed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating. | |
| SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4'; |
defensivedepth
/ keybase.md
Created
May 31, 2015 13:10
NewerOlder