Skip to content

Instantly share code, notes, and snippets.

View jamesspi's full-sized avatar

James Spiteri jamesspi

19 followers · 3 following
View GitHub Profile
@jamesspi
jamesspi / xzvuln-macos.sql
Created March 30, 2024 21:18
OSQuery To Check for XZ and liblzma - macOS
SELECT 'Homebrew Package' AS source, name, version,
CASE
WHEN version LIKE '5.6.0%' OR version LIKE '5.6.1%' THEN 'Potentially Vulnerable'
ELSE 'Most likely not vulnerable'
END AS status
FROM homebrew_packages
WHERE name = 'xz' OR name = 'liblzma';
@jamesspi
jamesspi / xzvuln.sql
Last active April 16, 2024 15:16
OSQuery To Check for XZ and liblzma - *nix
SELECT 'DEB Package' AS source, name, version,
CASE
WHEN version LIKE '5.6.0%' OR version LIKE '5.6.1%' THEN 'Potentially Vulnerable'
ELSE 'Most likely not vulnerable'
END AS status
FROM deb_packages
WHERE name = 'xz-utils' OR name = 'liblzma' OR name LIKE 'liblzma%'
UNION
SELECT 'RPM Package' AS source, name, version,
CASE
@jamesspi
jamesspi / driverload.json
Created March 24, 2023 22:24
Driver Load Event
{
"agent": {
"id": "b5780efb-e2e8-42f2-9221-b8e93f2db369",
"type": "endpoint",
"version": "8.6.2"
},
"process": {
"Ext": {
"ancestry": [
"YjU3ODBlZmItZTJlOC00MmYyLTkyMjEtYjhlOTNmMmRiMzY5LTAtMTY3ODkzOTIxOS4yNTI4MzAw"